A joint investigation by First Department and the University of Toronto’s Citizen Lab has revealed that Russian authorities secretly installed sophisticated spyware on a programmer’s Android device. The victim, Kirill Parubets, was detained in May 2024 for allegedly donating money to Ukraine.
During his 15-day administrative detention, Parubets was physically coerced to reveal his device password and pressured to become an FSB informant under threat of life imprisonment. Upon his release, his Oukitel WP7 phone was returned with suspicious modifications.
Technical Analysis
The investigation uncovered a malicious version of the Cube Call Recorder app installed on the device. While the legitimate app uses the package name “com.catalinagroup.callrecorder,” the trojanized version used “com.cortex.arm.vx3.” The spyware’s capabilities include:
– Location tracking
– Call recording
– Keystroke logging
– Message interception from encrypted apps
– File extraction
– Password harvesting
– Shell command execution
– Device administrator privileges
The malware shares similarities with the previously documented Monokle spyware, suggesting either an evolution of the original or code reuse. References to iOS in the source code indicate possible cross-platform variants.
Concurrent Developments
Security firm iVerify has separately identified seven new Pegasus spyware infections targeting journalists, government officials, and executives on both iOS and Android platforms. These infections span from 2021 to late 2023, affecting various iOS versions from 14 to 16.6.
This case highlights the significant security risks associated with device confiscation by hostile security services, as compromise can persist long after the device is returned to its owner.