The KGB’s All-Seeing Eye: How ResidentBat Spyware Turns Seized Phones into Total Surveillance Tools

A new report has exposed a low-tech but highly effective cyber-espionage campaign being waged against civil society in Belarus. A joint investigation by RESIDENT.NGO and the Reporters Without Borders (RSF) Digital Security Lab has uncovered “ResidentBat,” a previously unknown spyware family used by the Belarusian KGB to turn the smartphones of journalists and activists into 24/7 surveillance devices.

Unlike the infamous “zero-click” exploits sold by mercenary firms like NSO Group, this threat doesn’t rely on complex software vulnerabilities. Instead, it relies on the physical seizure of devices during police interrogations.

The investigation began in the third quarter of 2025, after a journalist was summoned for an interrogation by the Belarusian KGB. According to the report, the journalist was forced to hand over their phone and unlock it repeatedly in front of officers.

“The journalist told us: ‘In the room [the] KGB officer asked all the time to unlock the screen, thus I think he just saw the password [Ed. PIN] I entered'”.

Researchers believe that after obtaining the PIN, officers took the device out of the room and manually installed the spyware . This “hands-on” tactic represents a growing trend in surveillance where “physical access is used to install spyware” rather than remote attacks.

Once installed, ResidentBat acts as an all-seeing eye. The malware is bundled as a standard Android app but requests a staggering 38 permissions, granting it access to everything from SMS messages and phone calls to the device’s camera and microphone .

The core of its power lies in its abuse of Android’s Accessibility Service. Designed to help users with disabilities, this feature is weaponized by ResidentBat to read screen content from encrypted messengers like Signal, Telegram, and WhatsApp.

“With the option canRetrieveWindowContent activated within its accessibility service, ResidentBat can iterate over the objects in the window of all apps and, for instance, collect the content of all objects containing text”.

The spyware essentially captures the user’s digital life by recording the screen, logging keystrokes, and even accessing the clipboard.

The malware gets its name from the unique package names and components identified by researchers, specifically the prefix com.google.bat and the service com.google.bat.resident.ResidentService .

While the delivery method is crude, the software is persistent. It registers itself as a “Device Admin,” a high-privilege status that allows it to run in the background without suspension and, crucially, to “wipe the device’s data” remotely if the attackers fear discovery.

Analysis of digital certificates suggests this operation is not new. “We can conclude that the ResidentBat operation by the KGB has been running since at least March 2021”.

The report highlights that standard antivirus tools may not be enough, although in this case, the journalist was alerted by their phone’s internal AV after the device was returned.

Experts advise high-risk individuals to switch to alphanumeric passwords instead of simple PINs, as they are harder to shoulder-surf during interrogations. Additionally, using secure operating systems like GrapheneOS, which supports “PIN-scrambling” and duress passwords that wipe the device instead of unlocking it, can offer a last line of defense .

As the report concludes: “This previously unknown spyware, which we detected, is used by the Belarusian KGB to track and surveil targets”.

Related Posts:

• Russian Calisto APT Targets Reporters Without Borders with Custom AiTM Phishing and “Missing File” Lure
• Hackers attack Belarusian Railway systems
• Apple Issues New Spyware Alerts for French Officials and Journalists
• Sandworm APT Attacks Belarus Military With LNK Exploit and OpenSSH Over Tor obfs4 Backdoor