New Android Spyware Found On Russian Programmer Phone Who Was Released From Custody


A Russian programmer recently released from administrative detention has discovered sophisticated spyware on his Android device, raising alarm bells about potential surveillance tactics employed by Russian authorities.

Kirill Parubets, who consented to be named in this report, was detained for 15 days on accusations of engaging in money transfers to Ukraine.

During his detention, Parubets was subjected to beatings and intense recruitment efforts by Russia’s Federal Security Service (FSB), threatening him with life imprisonment if he failed to cooperate.

Upon his release, Parubets’ seized Android device was returned to him at the FSB headquarters.

The Citizen Lab researchers noted that he quickly noticed unusual behavior on his Oukitel WP7 running Android 10, including a suspicious notification reading “Arm cortex vx3 synchronization”.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Technical Analysis

The First Department, a legal assistance organization founded by exiled Russian human rights lawyer Ivan Pavlov, examined Parubets’ device and identified a likely-malicious app that appeared to have been installed during his detention. Subsequent analysis by the Citizen Lab confirmed the presence of spyware.

The spyware is a trojanized version of the legitimate Cube Call Recorder application. It requests numerous permissions not present in the original app, including access to location information, SMS messages, and camera functionality.

Same icon is used by both the spyware and legitimate version of the Cube Call Recorder application (Source – The Citizen Lab)

Besides this, the malware consists of two stages, with the second stage encrypted to evade detection. While the functionality includes location tracking, screen capture, keylogging, call recording, and file extraction

Technical experts suspect this spyware may be related to the Monokle family, previously linked to Russian threat actors. Similarities include:-

  • Overlapping command and control server commands
  • Use of similar folders for malware staging
  • Utilization of accessibility settings
  • Trojanization of legitimate applications

However, some differences in file encryption and requested permissions suggest this may be an updated version of Monokle or new software created using much of the original code.

Individuals who have lost physical custody of their devices to such entities, especially in authoritarian states like Russia, are strongly encouraged to seek expert assistance upon the device’s return.

The discovery of this sophisticated spyware underscores the ongoing challenges faced by civil society members and dissidents in Russia, as well as the evolving tactics employed by state actors in digital surveillance and control.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses



Source link