A newly discovered Android malware campaign is targeting Russian businesses by disguising itself as a legitimate antivirus app. Cybersecurity firm Doctor Web has identified the malicious software, known as Android.Backdoor.916.origin, which can spy on nearly every aspect of a victim’s smartphone.

The Fake Antivirus App

The malicious application, called GuardCB, first appeared in early 2025, masquerading as an antivirus tool. Available only in Russian, the app’s design suggests it was aimed specifically at Russian users.

Other versions circulate under names like “SECURITY_FSB” and “FSB,” exploiting associations with law enforcement and national institutions.

How the Malware Operates

Once installed, the spyware demands invasive permissions, granting it access to:

• Microphone and camera (live streaming audio and video)

• SMS, calls, and contacts

• Location tracking

• WhatsApp, Telegram, Gmail, Chrome, and Yandex data

• Device administrator rights

Although it runs fake virus scans, the real purpose is stealing sensitive data and transmitting it to attackers.

Spyware Capabilities

The malware enables attackers to:

• Record calls and messages

• Capture photos, files, and keystrokes (including passwords)

• Stream live audio and video from infected devices

• Monitor user activity across multiple apps

This functionality makes it a multifunctional backdoor, capable of espionage and cybercrime.

Geopolitical Cyber Context

While the origin of this spyware remains unconfirmed, it comes amid an escalating cyber war between Russia and Ukraine. Pro-Ukrainian hackers have previously targeted Russian aviation, defense, and drone manufacturing sectors, causing widespread disruption.

The discovery of this spyware raises the possibility that cyber tools are now being turned inward, targeting Russian businesses and individuals.

Conclusion

The fake GuardCB antivirus app highlights the growing sophistication of mobile spyware campaigns. By exploiting trust in security branding, attackers gain deep access to personal and business communications. For organizations and individuals in conflict zones, mobile devices have become one of the most vulnerable points of attack in modern cyber warfare.

FAQs

1. What is GuardCB?

GuardCB is a fake Russian antivirus app identified as spyware that steals data and spies on users.

2. How does the malware disguise itself?

It pretends to perform virus scans, showing fake results, while secretly stealing sensitive data.

3. What permissions does it request?

It asks for camera, microphone, SMS, calls, contacts, location, and device administrator rights.

4. Who is being targeted?

The app is primarily aimed at Russian-speaking users, particularly within businesses.

5. Could this be linked to cyber warfare?

While attribution remains unclear, the timing suggests possible links to the ongoing Russia-Ukraine cyber conflict.