The Federal Security Service (FSB) has secretly installed spyware on its Android device from a Russian programmer accused of donating money to Ukraine after he was detained earlier this year.
The findings were made as part of a joint investigation The first department and the University of Toronto Civil laboratory.
“The spyware placed on his device allows the operator to track the target device’s location, record phone calls, keystrokes and read messages from encrypted messaging programs, among other capabilities,” the report said.
In May 2024, Kiril Parubets was released out of custody after a 15-day period of administrative arrest by Russian authorities, during which his Oukitel WP7 phone running Android 10 was confiscated.
During this period, he was not only beaten to get the password to his device, but also “intensely tried” to recruit him as an informant for the FSB, or face life in prison.
Having agreed to work for the agency, if only to buy time and escape, the FSB returned his device to its Lubyanka headquarters. At this point, Parubets began to notice that the phone was exhibiting unusual behavior, including a notification that read “Syncing Arm cortex vx3.”
Further investigation of the Android device revealed that it was indeed a fake with a trojan version of the real thing Cube Recorder called application It should be noted that the legitimate application has the package name “com.catalinagroup.callrecorder”, while the outcast counterparts package name is “com.cortex.arm.vx3.”
The fake app is designed to request intrusive permissions that allow it to collect a wide range of data, including SMS messages, calendars, installing add-on packages and answering phone calls. It can also access your exact location, record phone calls, and read contact lists, all features that are part of a legitimate app.
“Most of the app’s malicious functionality is hidden in the encrypted second stage of the spyware,” Citizen Lab said. “Once the spyware is downloaded to the phone and executed, the second stage is decrypted and loaded into memory.”
The second stage includes features to log keystrokes, retrieve files and saved passwords, read chats from other messaging apps, inject JavaScript, execute shell commands, retrieve the device unlock password, and even add a new device administrator.
The spyware also shows some level of overlap with another Android spyware called Manacle which was documented by Lookout in 2019, making it more likely that this is either an updated version or that it was created by reusing the Monokle codebase. In particular, some command-control (C2) instructions between the two strains were found to be identical.
Citizen Lab said it also found references to iOS in the source code, suggesting there may be an iOS version of the spyware.
“This case shows that losing physical custody of a device to a hostile security service, such as the FSB, can be a serious risk to compromise that will continue after the security services have custody of the device,” it said.
The disclosure comes after iVerify said it discovered seven new ones Pegasus infecting iOS and Android devices belonging to journalists, government officials and corporate executives with spyware. A mobile security firm is tracking the NSO Group spyware developer called Rainbow Ronin.
“One exploit from late 2023 on iOS 16.6, another potential Pegasus infection in November 2022 on iOS 15, and five older infections dated 2021 and 2022 on iOS 14 and 15,” security researcher Matthias Frielingsdorf. said. “Each one was a device that could be silently monitored and its data compromised without the owner’s knowledge.”
