| |

New Android Spyware Masquerading as Antivirus Targets Business Executives

ByAdmin

In recent months, security teams have identified a highly versatile Android backdoor known as Android.Backdoor.916.origin, which masquerades as a legitimate antivirus application. This malware is distributed via private messaging services under the guise of “GuardCB,” with an icon that closely resembles the emblem of the Central Bank of the Russian Federation set against a shield background. The interface of the application displays only Russian language prompts, and it has been deployed in targeted campaigns against Russian business executives, extracting sensitive corporate communications and personal data. Upon installation, the counterfeit antivirus simulates system scans, randomly “detecting” between one and three fictitious threats, with detection rates increasing the longer a device remains unscanned, though never exceeding 30 per cent. This deceptive behaviour lulls victims into believing the application provides genuine protection while it silently requests a lengthy list of permissions, including geolocation, audio recording, SMS and contacts access, camera control, background execution, device administrator rights, and Accessibility Service privileges.

Dr.Web researchers have noted that once these permissions are granted, the malware initiates multiple persistent services that self-monitor every minute, reconnecting to its command-and-control (C2) infrastructure as needed. Through separate C2 ports, operators can harvest call logs, SMS traffic, contact lists, and geolocation data; stream microphone audio, camera video, or device screen captures; siphon stored images; and even execute arbitrary shell commands. The trojan’s ability to toggle self-defence routines via the Accessibility Service enables it to thwart removal attempts by overlaying fake system interfaces or disabling uninstall options. The sophistication of Android.Backdoor.916.origin is underscored by its dynamic configuration, which can incorporate up to fifteen different hosting providers, although only a subset is active in current campaigns. Despite some takedowns prompted by domain registrar notifications, the resilience of the C2 network continues to frustrate defenders. Dr.Web antivirus for Android successfully detects and removes known variants, yet the tailored nature of these attacks highlights the necessity for heightened vigilance among executive circles. Android.Backdoor.916.origin employs an infection mechanism tailored to social engineering and sideloading rather than exploiting software vulnerabilities. Victims receive a malicious APK file disguised as “GuardCB.apk” through encrypted messenger threads. Once executed, the app’s manifest registers background services and the Accessibility Service. 

Categories: Malware Distribution, Social Engineering Tactics, Data Exfiltration Techniques 

Tags: Android, Backdoor, Malware, Antivirus, Geolocation, Permissions, Command-and-Control, Social Engineering, Sideloading, Executive 

Similar Posts

Weekly Cybersecurity News Roundup: Key Security Updates from Microsoft, Cisco, and Fortinet, Plus Recent Cyber Attack Insights Stay informed with our latest weekly recap of cybersecurity news, featuring essential security updates from industry leaders Microsoft, Cisco, and Fortinet. We also delve into recent cyber attacks, providing insights into emerging threats and vulnerabilities. Don’t miss out on crucial information that can help safeguard your digital assets!

Leave a Reply

Your email address will not be published. Required fields are marked *