A Russian programmer accused of financially supporting Ukraine was allegedly targeted by the Federal Security Service (FSB), which secretly installed spyware on his Android device after detaining him earlier this year.
Spyware Deployment Revealed
The revelation stems from a collaborative investigation conducted by First Department and the University of Toronto's Citizen Lab. According to the report, the implanted spyware granted operators full access to the device, including:
- Tracking location
- Recording phone calls
- Capturing keystrokes
- Reading messages from encrypted apps
Detention and Spyware Installation
In May 2024, Kirill Parubets was released after 15 days in administrative detention by Russian authorities. During this time, his Oukitel WP7 running Android 10 was confiscated, and he faced brutal treatment, including physical coercion to extract his device password.
The FSB also pressured Parubets to act as an informant under the threat of life imprisonment. While he pretended to comply, his phone was returned from the FSB's Lubyanka headquarters with the spyware already installed.
Signs of Compromise
Parubets noticed suspicious behavior on his phone, including a notification labeled "Arm cortex vx3 synchronization." Upon further examination, it was discovered that his device had been tampered with a trojanized version of the legitimate Cube Call Recorder app.
The legitimate app’s package name is com.catalinagroup.callrecorder, while the rogue version used com.cortex.arm.vx3. The modified app requested excessive permissions, enabling it to:
- Access SMS messages, calendars, and contact lists
- Record phone calls and track location
- Install additional packages and answer calls
Hidden Spyware Features
According to Citizen Lab, most malicious features were concealed within an encrypted second stage of the spyware. Once activated, it could:
- Log keystrokes
- Extract files and passwords
- Read chats from messaging apps
- Execute shell commands
- Unlock the device password
- Add a new device administrator
The spyware also displayed similarities with Monokle, an Android spyware documented in 2019. Shared command-and-control (C2) instructions suggest that this new spyware may be either an updated version or built from Monokle’s codebase. Researchers also found references to iOS in the spyware’s code, hinting at a possible iOS variant.
Implications for Cybersecurity
“This case highlights the severe risks posed by losing physical custody of a device to hostile security services like the FSB,” Citizen Lab warned. The compromise extended beyond the physical detention period, allowing long-term surveillance.
Broader Spyware Threats
The report coincides with iVerify’s disclosure of seven new Pegasus spyware infections on iOS and Android devices. Victims included journalists, government officials, and corporate executives. The infections, attributed to the notorious NSO Group (tracked as Rainbow Ronin), exploited vulnerabilities in iOS versions 14 through 16.
"One exploit targeted iOS 16.6 in late 2023, while others spanned from 2021 to 2022 across iOS 14 and 15,” said security researcher Matthias Frielingsdorf. “These attacks compromised devices without the owners’ knowledge, silently monitoring their data.”
Key Takeaways
This alarming case underscores the importance of robust mobile security measures. Whether through physical access or zero-click exploits, spyware continues to evolve as a significant cybersecurity threat, compromising privacy on both Android and iOS platforms.