Russian programmer says FSB agents planted spyware on his Android phone

A programmer said Russia’s Federal Security Service (FSB) installed spyware on his Android phone after he was detained in Moscow earlier this year. Security researchers confirmed that his phone had spyware installed, likely when authorities gained physical access to his phone and forced him to reveal his password.

For programmer Kirill Parubets it was a terrifying and traumatic experience. But thanks to his computer expertise and surveillance, his story offers a rare first-hand account of how Russian authorities deployed spyware on one of their citizens, not by using a technically advanced remote hacking attack, but with a cruder.

Parubets is a Russian systems analyst who identifies as of Ukrainian descent, calls himself “an opposition political activist,” and has lived in Ukraine since 2020. Parubets says he volunteered and provided financial and humanitarian aid to Ukrainians after the full-scale invasion of Russia in 2022.

Parubets said he and his wife traveled back to Russia in 2023 to do some paperwork, while trying to obtain Moldovan citizenship, which would have allowed them to remain in Ukraine.

On April 18, 2024, six FSB agents armed with machine guns broke into the apartment of Parubets and his wife in Moscow at around 6:30 in the morning. “They threw us to the ground, they dragged my wife to a small room, I was lying in the hallway. They didn’t let us get dressed,” according to his recollection of the events, which Parubets wrote in a document he shared with TechCrunch.

The agents asked him about money transfers to Ukrainians, as well as about a friend of Parubets, whom he calls by the nickname Ivan Ivanov. (Parubets says he changed Ivan’s name to protect him.)

“What’s your damn password?” —one of the agents asked Parubets when they picked up his Android phone, according to his recollection of the events. Intimidated, Parubets said he had revealed his password.

The same day, Parubets said he and his wife were arrested and sentenced to 15 days of administrative arrest. While in detention, where he said he was also beaten, Parubets said FSB agents visited him and asked him about his volunteer activities and donations in Ukraine, as well as donations he made on behalf of his friend Ivanov, who, they say, could be classified as treason. Then, according to Parubets, FSB agents asked him to spy on Ivanov, who they said had contacted Ukraine’s special services.

“They threatened me and said they would imprison me and my wife for life if I did not give them help,” Parubets said.

That’s why Parubets said he decided to tell the officers he would agree to help them, even though he wasn’t actually planning to do so.

Then, on May 3, Parubets said he and his wife were released and he went to retrieve his belongings, including his Android phone. Parubets said that shortly afterward he noticed a strange notification saying “Arm Cortex vx3 sync,” then it disappeared and he rebooted the phone.

At that time, Parubets, who is interested in cybersecurity, said he inspected his phone and found a suspicious app that had multiple permissions to access a large amount of personal data on the phone. At that moment, Parubets said he approached First Departmenta legal aid organization. The organization, in turn, contacted Citizen Lab, an Internet security and surveillance research organization at the University of Toronto, to analyze the suspicious app.

According to a new report from Citizen Lab Released on Thursday, written by Cooper Quintin, Rebekah Brown and John Scott-Railton, the app was in fact spyware.

Researchers said the suspicious app identified by Parubets appeared to be “a trojanized version of the genuine Cube Call Recorder app,” a legitimate call recording app.

According to the report, the fake app was able to access location information, read and send text messages, install other apps, read the calendar, take screenshots and record from the video camera, view a list of other apps, answer calls phone calls and view user account details – all permissions that the real Cube Call Recorder doesn’t have.

The developers of Cube Call Recorder did not respond to a request for comment.

Technical experts from the First Department, as well as Citizen Lab, believe that the spyware is a new version of a malware called Monokle, based on several similarities that the spyware used against Parubets has compared to a previous version of the malware. Monokle It was analyzed in 2019 by the cybersecurity firm Lookout. At the time, Lookout concluded that Monokle was developed by Special Technology Center, a St. Petersburg company that has been sanctioned by the united states government and other countries for providing technological assistance to the Russian government in its espionage activities.

The Russian embassy in Washington DC, as well as the Russian government press office, did not respond to a request for comment. Neither does the sanctioned Special Technology Center.

For Quintin, one of the researchers who analyzed the malware, judging by the functionalities of the spyware found on Parubets’ phone, as well as the previous version analyzed by Lookout, “this malware has been professionally prepared for several years.”

Quintin said the Parubet story is a reminder that spyware attacks don’t have to be carried out from afar, like those carried out with spyware made by NSO Group, for example.

“People spend a lot of time thinking about zero-click exploits and zero-day attacks, but they tend to forget that someone with physical access to your phone who can force you to unlock it with violence or threat of violence is just as likely to be a risk.” Quintin told TechCrunch.

In the report, Quintin and his colleagues concluded that “anyone whose device has been confiscated by a security service should assume that they can no longer be trusted.”

Dmitry Zair-Bek, head of the First Department’s human rights project, criticized the Russian government and warned that what happened to Parubets can happen to others.

“We expected that something similar to the Kirill Parubets case would start to happen simply because this aligns perfectly with the logic of the Russian special services. The scale of the repression is truly terrifying, and a major problem is that there are no longer ‘red lines’ of what is permissible,” Zair-Bek told TechCrunch. “In addition to Ukrainians, citizens of Western countries visiting Russia are in an especially high-risk group. “They are a tempting target for recruitment and possible imprisonment as hostages.”

After being released, Parubets said he and his wife left Russia. In an ironic twist, his spyware-riddled phone may have helped him escape as it left him in Moscow.

“I needed to pretend that I’m still in Moscow,” Parubets said. “To buy some time.”

Personal opinion:

“The Russian programmer’s claim that FSB agents planted spyware on his phone is a questionable issue regarding privacy and digital security. If true, these allegations highlight the urgent need to develop better and stronger protection technologies for individuals, especially in light of the escalation of cyber threats from state and non-state actors.”