Badass Russian techie outsmarts FSB, flees Putinland all while being tracked with spyware – Source: go.theregister.com

A Russian programmer defied the Federal Security Service (FSB) by publicizing the fact his phone was infected with spyware after being confiscated by authorities.

Kirill Parubets was detained in Russia for 15 days after being accused of sending money to Ukraine, during which time the man was beaten and subjected to aggressive efforts to recruit him as an FSB informant on his contacts in Ukraine.

According to his account of the story, published with his consent by Toronto University’s Citizen Lab and First Department legal organization, he says he was threatened with life imprisonment if he failed to comply with the recruitment drive.

In order to secure release, he agreed but before he was indoctrinated he and his wife fled the country. Always keep a second passport, if possible. 

First Department’s account revealed that Parubets was working as a systems analyst in 2020, a job that didn’t require him to attend an office, so as a self-identifying ethnic Ukrainian, the Russian citizen decided to live in Kyiv. 

After Russia’s invasion of the country in 2022, however, Russian citizens found it impossible to renew their residence permits so he and his wife Lyubov then attempted to obtain Moldovan and Romanian citizenship, but had to return to Russia to collect personal documents.

“There were no problems entering Russia,” said Parubets. “We arrived by car through Georgia, through Verkhniy Lars along the Black Sea and then we lived peacefully in Moscow. I was slowly collecting papers and continued working at the same time.”

Then on April 18 earlier this year, six masked men armed with machine guns stormed the Parubets’ home, ordered them to the floor, separated them into different rooms, and asked questions about the money transfers.

Kirill confirmed he was involved in charity work when living in Kyiv and that he did make transfers related to this work – an act Russia designated as treason shortly after its invasion began.

His Oukitel WP7 Android device was confiscated and he was forced to surrender the password before he and his wife were detained. 

“Judging by how confidently they acted in the apartment, I got the impression that they had been there before, or there was wiretapping, because they knew what was where, what to look for and where,” he said. “They very quickly found a phone, a laptop, the most important documents related to Ukraine. In general, they knew where and what was there.”

After agreeing to work for the agency, the FSB returned his device at its Lubyanka headquarters but Russia’s finest didn’t do a great job of hiding their tracks. Parubets quickly noticed an odd-looking notification reading “Arm cortex vx3 synchronization,” which isn’t a typical message to receive.

“I picked up the code and saw that it was some kind of spy thing,” said Parubets. “I was very interested in information security and knew that there was such a spy module called Monokle. According to the description, it was very similar to it.”

After outsmarting the authorities and fleeing Russia, a bruised Parubets worked with investigators to conclude that during his time in detention, a trojanized version of the legitimate Cube Call Recorder app was installed on his phone. The app had many hallmarks of spyware – specifically the Monokle family.

Various additional features were detected on the app, including the ability to track a device’s precise location when not in use, record video and the device’s screen, log inputs, install additional packages, send and read SMS messages, and read messages from other messaging apps.

Many of these features were contained in a single class (com.android.twe1ve) which is specific to Monokle – a spyware family that dates back to 2019 and was swiftly linked to Russian use.

• Russian court fines Google $20,000,000,000,000,000,000,000,000,000,000,000
• Ransomware hangover, Putin grudge blamed for vodka maker’s bankruptcy
• Happy birthday, Putin – you’ve been pwned
• Putin really wants Trump back in the White House

“This case illustrates that the loss of physical custody of a device to a hostile security service like the FSB can be a severe risk for compromise that will extend beyond the period where the security services have custody of the device,” said The Citizen Lab. “In this case, the target noticed several odd behaviors on their device after he was released from detention, such as an unfamiliar and suspicious notification and the presence of an app that he had not installed. However, not every attempt to infiltrate and monitor a device is likely to result in such visible alerts. 

“We encourage members of civil society that have lost physical custody of their device to a security service, especially a technically competent service in an authoritarian state like Russia, to seek expert assistance when the device is returned to them. Any person whose device was confiscated and later returned by such services should assume that the device can no longer be trusted without detailed, expert analysis.” ®