Source: www.govinfosecurity.com – Author:
Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
Russian Activist for Ukraine Claims Spyware Was Installed While in Custody by FSB Chris Riotta (@chrisriotta) • December 5, 2024
A Russian systems analyst and self-described opposition political activist accused the Kremlin of installing covert spyware on his cellphone while he was in custody and facing accusations of sending money to Ukraine.
See Also: 5 Ways Exabeam Helps Eliminate Compromised Credential Blindspots
A joint investigation published Thursday by the University of Toronto’s Citizen Lab and Moscow-based First Department found the spyware resembled the Monokle family, malware linked to the “Special Technology Center,” a Russian government contractor. It was capable of tracking a target device’s location, recording calls, capturing keystrokes, and reading messages from encrypted apps, among other capabilities.
The spyware secretly installed on Kirill Parubets’ phone was a malicious version of the legitimate Cube Call Recorder app from the Google Play Store, designed to automatically record incoming calls. Despite significant advancements in Russian remote hacking campaigns, experts told Information Security Media Group that crude methods, such as forcing someone to unlock their phone before installing a Trojan via cable – something that appears to have occurred in Parubets’ case – remain common.
“If a device is confiscated by an authoritarian regime, there is a very good chance it has been compromised,” said Ken Westin, senior solutions engineer for the security platform LimaCharlie, noting that many U.S. companies have security policies to bring burner devices to certain countries to mitigate risks. “If a device is confiscated temporarily or left in a hotel room, the likelihood of it being compromised due to spies having physical access increases substantially.”
Parubets said he and his wife, who have lived in Ukraine since 2020, were in Moscow to finalize paperwork for Moldovan citizenship when he was detained by six Russian Federal Security Service agents in April. He was reportedly beaten and coerced into providing the password to his Android device after officials tried to pressure him into serving as an informant for the FSB.
“Judging by how confidently they acted in the apartment, I had the impression that they had been there before,” Parubets told First Department, a legal assistance organization, later adding about his interrogations during detention: “They had a huge folder with a printout of my Telegram chats.”
After he and his wife were later released, Parubets recalled noticing an unusual notification on his device that read: “Arm cortex vx3 synchronization.”
A technical analysis of Parubets’ device revealed the malicious app requested a wide range of permissions not found in the authentic Cube Call Recorder app, including the ability to record screen captures, use the camera for video, read and send SMS messages and access location information when the app is not in use. The report also found that the spyware was likely an updated version of Monokle, sharing command and control similarities but with key differences, including more sophisticated configuration files that make decryption harder.
“Detention and device confiscation can provide a unique opportunity for an adversary to install spyware without the same technical challenges presented by remote attacks,” the report reads. “This opportunity is especially pronounced if the adversary has user-level access to the device and is able to compel the individual to provide credentials and/or device passcodes, as they were in this case.”
Parubets, who has acknowledged volunteering and providing financial and humanitarian support to Ukraine since Russia’s invasion, said he left the compromised device in Moscow as he and his wife fled following their detainment, hoping “to win some time.”
Security researchers examined the device and found the malicious app “appeared to have been introduced onto the phone during [Parubets’] detention.” The spyware’s malicious functionality is concealed in an encrypted second stage, which is decrypted and loaded into memory once the spyware is executed on the phone. This obfuscation tactic helps evade detection by some antivirus software, according to Citizen Lab.
Since launching its invasion, Russia has intensified its cyber assault on Ukraine and its supporters, targeting Kyiv, Western governments, Washington think tanks and institutions focused on Ukraine with an array of cyberespionage campaigns. Research revealed at the Cyberwarcon summit in November showed that the Russian General Staff Main Intelligence Directorate hacking unit deployed a new attack technique exploiting Wi-Fi connectivity to target a Washington, D.C.-based organization (see: Russian Hackers Exploit Wi-Fi in Sophisticated New Attack).
Original Post URL: https://www.govinfosecurity.com/russian-forces-accused-secretly-planting-spyware-on-phone-a-26984
Category & Tags: –
Views: 0
