FSB-Tampered Device Returned with Monokle-Type Spyware, Experts Reveal
A joint investigation by the First Department and cybersecurity researchers has exposed the covert implantation of spyware resembling the Monokle family on a confiscated device returned to a Russian programmer. The spyware, installed while the device was in the custody of Russian authorities, underscores the growing threat of targeted surveillance leveraging advanced digital tools.
The incident involves Kirill Parubets, a Russian programmer accused of transferring funds to Ukraine. After a 15-day detention, during which he faced physical abuse and recruitment attempts by the Russian Federal Security Service (FSB), his Android device was returned from the FSB headquarters. Parubets noticed unusual behavior, including a suspicious notification: “Arm cortex vx3 synchronization.” The First Department’s analysis later revealed a malicious application that he had not installed.
The malicious app disguised itself as the legitimate Cube Call Recorder, a popular call-recording application. Experts found that it significantly extended the permissions of the legitimate app. According to the report, the spyware enabled operators to:
- Track locations, even when the app was not in use.
- Capture keystrokes and extract stored passwords.
- Record calls and messages, including from encrypted apps.
- Inject JavaScript and execute shell commands.
- Extract device unlock credentials and take screen captures.
The report noted, “The spyware bears many similarities to the Monokle family of spyware,” which has been previously attributed to the Russian government-affiliated Special Technology Center.
While sharing significant overlaps with Monokle spyware reported by Lookout in 2019, this version showed advancements, suggesting it is either a sophisticated update or a new tool built on Monokle’s code. Unique traits included improved encryption methods and changes to permissions, such as the addition of “ACCESS_BACKGROUND_LOCATION” and removal of less relevant permissions like “USE_FINGERPRINT.”
The report highlights, “The many significant similarities in operations, functionality, and geopolitical motivations lead us to assess that this is either an updated version of the Monokle spyware or new software created by reusing much of the same code.”
The report advises, “Any person whose device was confiscated and later returned by such services should assume that the device can no longer be trusted without detailed, expert analysis.”
For further details and protective guidance, visit the full report by the First Department and Citizen Lab.
