Fake FSB Antivirus App Targets Russian Executives With Sophisticated Android Spyware

A new Android spyware disguised as an antivirus app is tricking Russian business executives into installing surveillance software, according to researchers at Dr. Web. The malware, known as Android.Backdoor.916.origin, poses as official security tools linked to Russia’s Federal Security Service (FSB) and the Central Bank.

Malware Poses as FSB and Central Bank Security Tools

Since January 2025, Dr. Web analysts have been tracking the spyware across multiple iterations. The fake apps are branded as “GuardCB,” “SECURITY_FSB,” and simply “ФСБ,” designed to appear as software endorsed by law enforcement or financial institutions.

The ruse works by playing on trust. By impersonating high-authority institutions, attackers increase the likelihood that executives download the malware, believing it to be a safeguard against cyberthreats.

But the apps offer only one interface language: Russian. That detail, combined with the branding choices, suggests the malware’s primary targets are executives and professionals inside Russia.

What the Malware Can Do

Once installed, the spyware requests sweeping permissions from the user. These go well beyond what a normal antivirus tool would need. It asks for location access, SMS permissions, access to stored files, full audio and video recording, and the powerful Android Accessibility Service.

At that point, the tool can:

• Record phone calls, conversations, and keystrokes

• Stream video directly from the device’s camera

• Exfiltrate messages from Telegram, WhatsApp, Gmail, and even Russian apps like Yandex

• Execute shell commands and maintain persistence across reboots

The malware also has the ability to erase all user data or change lock screen settings, essentially giving attackers complete control over a device.

Fake Scans Hide the Real Purpose

To mask its malicious activities, the spyware simulates antivirus scans. Users tapping the “scan” button are shown a fake progress bar. Roughly 30% of the time, the app claims it found one to three infections on the phone.

That false sense of legitimacy helps the malware remain on the device longer. Victims may think the app is protecting them, when in reality, it’s siphoning data in the background.

“This malicious program is entirely focused on Russian users,” Dr. Web explained in its report. “Cybercriminals are trying to pass off these tools as security software allegedly tied to law enforcement.”

Continuous Development and Resilient Infrastructure

Researchers noted the spyware is under active development. Multiple versions have surfaced since its first discovery earlier this year. That points to ongoing efforts to refine its capabilities and evade detection.

The malware is also engineered for resilience. While its current version uses a single control server, its code shows support for up to 15 different hosting providers. This means if one server is taken down, operators can quickly switch to another.

That’s a classic strategy for long-term espionage campaigns—keeping infected devices connected no matter what countermeasures are deployed.

Russian Businesses in the Crosshairs

What’s unusual about this case is that the targets appear to be executives of Russian companies, not foreign governments or businesses. The use of Russian-only language, coupled with FSB impersonation, indicates a domestic-focused attack.

Dr. Web has not publicly attributed the campaign to any specific group. The choice of branding, however, could signal either a state-aligned operation seeking to monitor local business leaders, or a cybercriminal group hoping to profit from data theft.

For now, the spyware highlights a growing threat inside Russia itself. As Dr. Web’s researchers warn, the malware family is still evolving—and could become even more dangerous in future iterations.