According to "Doctor Web" experts, the malicious program Android.Backdoor.916.origin for mobile Android devices is capable of executing many commands from attackers and has extensive capabilities for surveillance and data theft.
Among other things, it can eavesdrop on conversations, transmit video from the camera, steal content from messengers and browsers, and also has keylogger functionality for intercepting entered text, including passwords.
The first versions of the backdoor Android.Backdoor.916.origin appeared in January 2025. Since its discovery, the "Doctor Web" antivirus laboratory has been monitoring its evolution and has identified a number of versions. The company's experts believe that Android.Backdoor.916.origin is more intended for use in targeted attacks than for mass distribution among Android device owners. Its main target is representatives of Russian businesses.
As for distribution, attackers distribute an APK file via personal messages in messengers under the guise of an antivirus with the name GuardCB. The application has an icon resembling the emblem of the Central Bank of the Russian Federation against the background of a shield. At the same time, only one language is provided in its interface — Russian. Modifications have also been identified with file names such as SECURITY_FSB, ФСБ, and so on. The company emphasized:
There are actually no protective functions in the program. In the process, Android.Backdoor.916.origin simulates an antivirus scan of the device, while the probability of "detecting" threats in it is programmed. The more time that has passed since the last "scan", the higher it is, but no more than 30%. The number of allegedly identified threats is determined randomly and ranges from 1 to 3.
