In latest months, safety groups have noticed the emergence of a extremely versatile Android backdoor, Android.Backdoor.916.origin, masquerading as a respectable antivirus utility.
Distributed through personal messaging companies below the guise of “GuardCB,” its icon carefully mimics the logo of the Central Financial institution of the Russian Federation in opposition to a defend background.
Malicious app icons mislead potential victims (Supply – Dr.Net)
Though the interface shows solely Russian language prompts, this malware has been deployed in focused campaigns in opposition to Russian enterprise executives, extracting delicate company communications and private information.
Upon set up, the counterfeit antivirus simulates system scans, randomly “detecting” between one and three fictitious threats, with detection charges rising the longer a tool stays unscanned, although by no means exceeding 30 p.c.
This misleading conduct lulls victims into believing the appliance supplies real safety.
Beneath this veneer, the backdoor silently requests a protracted record of permissions—geolocation, audio recording, SMS and contacts entry, digicam management, background execution, gadget administrator rights, and Accessibility Service privileges.
Pretend AV instrument (Supply – Dr.Net)
Dr.Net researchers famous that when these permissions are granted, the malware initiates a number of persistent companies that self-monitor each minute, reconnecting to its command-and-control (C2) infrastructure every time mandatory.
Via separate C2 ports, operators can harvest name logs, SMS visitors, contact lists, and geolocation information; stream microphone audio, digicam video, or gadget display screen captures; siphon saved photos; and even execute arbitrary shell instructions.
The trojan’s potential to toggle self-defense routines through the Accessibility Service permits it to thwart removing makes an attempt by overlaying pretend system interfaces or disabling uninstall choices.
The sophistication of Android.Backdoor.916.origin is underscored by its dynamic configuration, which might incorporate as much as fifteen completely different internet hosting suppliers, though solely a subset is lively in present campaigns.
Area registrar notifications have prompted some takedowns, however the mule-like resilience of the C2 community continues to frustrate defenders.
Dr.Net antivirus for Android efficiently detects and removes recognized variants, but the tailor-made nature of those assaults underscores the need for heightened vigilance amongst govt circles.
An infection Mechanism and Persistence
Android.Backdoor.916.origin employs an an infection mechanism tailor-made to social engineering and sideloading fairly than exploitation of software program vulnerabilities.
Examples of requested permissions (Supply – Dr.Net)
Victims obtain a malicious APK file disguised as “GuardCB.apk” by way of encrypted messenger threads. As soon as executed, the app’s manifest registers background companies and the Accessibility Service, as illustrated within the snippet under:-
By abusing the Accessibility API, the malware features keystroke logging and in-app information interception capabilities, guaranteeing enduring presence even after force-stop or gadget reboot sequences.
Steady well being checks and automated service restarts assure that the backdoor stays lively, silently harvesting information till manually eliminated.
Enhance your SOC and assist your crew defend your small business with free top-notch menace intelligence: Request TI Lookup Premium Trial.
