Digital forensic researchers released a report on Thursday revealing that a phone Russian police seized from a citizen accused of sending money to Ukraine had been infected with spyware while he was detained. The phone belonging to Kirill Parubets, a Russian programmer who spent more than two weeks in custody, was apparently infected with spyware that the researchers say allowed authorities to track his device location, read encrypted messages and record calls and keystrokes. The spyware is similar to the so-called Monokle family of spyware, according to researchers from The Citizen Lab, a University of Toronto-based institute which has discovered and confirmed scores of civil society spyware infections in recent years. The Citizen Lab analysis found that the phone was likely infected with a “trojanized application,” Cube Call Recorder. The app is real and available in the Google Play Store, but the version Russian authorities apparently installed on Parubets’ phone had spyware embedded, the researchers said in a blog post. The Citizen Lab’s findings were first reported by CyberScoop. The spyware found on Parubets’ phone appears to use much of the same code as a sample of Monokle found in 2019 by Lookout Mobile Security, which had attributed it to a Russian government contractor, the blog post said. The trojanized app asked Parubets for permission to access information and perform functions that the app does not normally request, the blog post said. This included permission to access location data; to read and send SMS messages; to record screen captures and video; and to answer phone calls. Parubets says he was beaten by Russian authorities and was pressured to become an informant or face life in prison, The Citizen Lab says. Parubets did not respond to a request for comment. After Parubets was released from custody he noticed unusual activity on his phone, their report says, including a notification that is not typically sent by his device. The Citizen Lab conducted the technical investigation after First Department — a Russian legal assistance group Parubets sought help from — discovered the malicious app, which Parubets had not installed.
Get more insights with the
Recorded Future
Intelligence Cloud.