This post is also available in:
עברית (Hebrew)
A new Android malware strain disguised as a security tool is targeting Russian users, particularly within the business sector. Identified by cybersecurity researchers at Doctor Web, the backdoor—classified as Android.Backdoor.916.origin—has been distributed via an app called GuardCB, which first appeared in early 2025.
While posing as an antivirus solution, the application carries a range of surveillance functions. Its interface is available exclusively in Russian, and its logo mimics the emblem of the Central Bank of Russia. Variants of the malware have also circulated under names such as SECURITY_FSB and FSB, further aligning the app’s image with state or law enforcement affiliations to mislead users.
According to Dr. Web, the app requests a wide array of permissions, including access to the device’s location, microphone, camera, messages, call logs, contacts, and administrator rights. It also seeks access to popular apps such as WhatsApp, Telegram, Chrome, Gmail, and Yandex, indicating a broad intent to harvest communication data. This allows the hackers to stream live video and audio from the device, capture photos and access stored files, monitor keystrokes, and track communications and geolocation in real time.
In order to appear legitimate, the app simulates antivirus scans and generates fake threat results, typically claiming to clean between one and three detected threats.
Researchers have not attributed the malware to a known actor and have not confirmed whether the operation is linked to espionage. However, the level of access it demands and its targeted deployment raise concerns about potential state or state-aligned involvement.
The discovery comes amid an intensifying cyber conflict in the region, with pro-Ukrainian groups continuously targeting Russian networks. The malware underscores the growing sophistication of mobile-based surveillance tools and the risks they pose to both organizational and national security.
