Security researchers have recently identified a new, highly capable Android backdoor—tracked as Android.Backdoor.916.origin—that’s being distributed as a fake antivirus app and used in targeted campaigns against business executives.
How it infects and stays resident
The campaign relies on social engineering and sideloading (users manually installing the APK) rather than exploiting software flaws. After installation the app registers background services and an Accessibility Service in its manifest—this grants powerful capabilities such as keystroke and in-app data interception. The malware runs continuous health checks and automatically restarts its services so it survives reboots and force-stops.
What the spyware can do
When active, operators can:
- Harvest call logs, SMS, and contact lists.
- Track device geolocation.
- Stream microphone audio, capture camera video, and take screen snapshots.
- Access stored images and execute arbitrary shell commands.
- Use the Accessibility API to block removal attempts by overlaying fake system dialogs or disabling uninstall options.
The malware’s configuration is flexible: it can use up to fifteen hosting providers and shifts between active C2 servers to resist takedowns. Domain registrar actions have disabled some infrastructure, but the campaign remains resilient.
Detection & mitigation
Dr.Web’s Android product detects and removes known variants of this backdoor. However, because the attacks are customized and highly targeted, organizations—especially those with high-value personnel—should exercise extra caution:
- Avoid installing APKs from untrusted sources or links received over private messaging.
- Disable sideloading on corporate devices where possible.
- Turn off Accessibility permissions for apps that do not explicitly need them.
- Monitor for unusual permission requests, rapid background services, or repeated C2 connections.
- Use reputable mobile-security solutions and keep threat intelligence feeds updated.
Mourad Maacha 
Leave a comment