A Russian programmer accused of donating money to Ukraine had his Android device secretly implanted with spyware by the Federal Security Service (FSB) after he was detained earlier this year.
The findings come as part of a collaborative investigation by First Department and the University of Toronto’s Citizen Lab.
“The spyware placed on his device allows the operator to track a target device’s location, record phone calls, keystrokes, and read messages from encrypted messaging apps, among other capabilities,” according to the report.
In May 2024, Kirill Parubets was released from custody after a 15-day period in administrative detention by Russian authorities, during which time his phone, an Oukitel WP7 phone running Android 10, was confiscated from him.
During this period, not only was he beaten to compel him into revealing his device password, he was also subjected to an “intense effort” to recruit him as an informant for the FSB, or else risk facing life imprisonment.
After agreeing to work for the agency, if only to buy some time and get away, the FSB returned his device at its Lubyanka headquarters. It’s at this stage that Parubets began noticing that the phone exhibited unusual behavior, including a notification that said “Arm cortex vx3 synchronization.”
A further examination of the Android device has since revealed that it was indeed tampered with a trojanized version of the genuine Cube Call Recorder application. It’s worth noting that the legitimate app has the package name “com.catalinagroup.callrecorder,” whereas the rogue counterpart’s package name is “com.cortex.arm.vx3.”
The counterfeit app is designed to request intrusive permissions that allow it to gather a wide range of data, including SMS messages, calendars, install additional packages, and answer phone calls. It can also access fine location, record phone calls, and read contact lists, all functions that are part of the legitimate app.
“Most of the malicious functionality of the application is hidden in an encrypted second stage of the spyware,” the Citizen Lab said. “Once the spyware is loaded onto the phone and executed, the second stage is decrypted and loaded into memory.”
The second stage incorporates features to log keystrokes, extract files and stored passwords, read chats from other messaging apps, inject JavaScript, execute shell commands, obtain the device unlock password, and even add a new device administrator.
The spyware also exhibits some level of overlap with another Android spyware called Monokle that was documented by Lookout in 2019, raising the possibility that it’s either an updated version or that it’s been built by reusing Monokle’s codebase. Specifically, some of the command-and-control (C2) instructions between the two strains have been found to be identical.
The Citizen Lab said it also spotted references to iOS in the source code, suggesting that there could be an iOS version of the spyware.
“This case illustrates that the loss of physical custody of a device to a hostile security service like the FSB can be a severe risk for compromise that will extend beyond the period where the security services have custody of the device,” it said.
The disclosure comes as iVerify said it discovered seven new Pegasus spyware infections on iOS and Android devices belonging to journalists, government officials, and corporate executives. The mobile security firm is tracking the spyware developer, NSO Group, as Rainbow Ronin.
“One exploit from late 2023 on iOS 16.6, another potential Pegasus infection in November 2022 on iOS 15, and five older infections dating back to 2021 and 2022 across iOS 14 and 15,” security researcher Matthias Frielingsdorf said. “Each of these represented a device that could have been silently monitored, its data compromised without the owner’s knowledge.”