Report: Russian authorities seized phone from detainee, infected it with spyware

Digital forensic researchers released a report on Thursday revealing that a phone Russian police seized from a citizen accused of sending money to Ukraine had been infected with spyware while he was detained.

The phone belonging to Kirill Parubets, a Russian programmer who spent more than two weeks in custody, was apparently infected with spyware that the researchers say allowed authorities to track his device location, read encrypted messages and record calls and keystrokes.

The spyware is similar to the so-called Monokle family of spyware, according to researchers from The Citizen Lab, a University of Toronto-based institute which has discovered and confirmed scores of civil society spyware infections in recent years.

The Citizen Lab analysis found that the phone was likely infected with a “trojanized application,” Cube Call Recorder. The app is real and available in the Google Play Store, but the version Russian authorities apparently installed on Parubets’ phone had spyware embedded, the researchers said in a blog post. 

The Citizen Lab’s findings were first reported by CyberScoop.

The spyware found on Parubets’ phone appears to use much of the same code as a sample of Monokle found in 2019 by Lookout Mobile Security, which had attributed it to a Russian government contractor, the blog post said.

The trojanized app asked Parubets for permission to access information and perform functions that the app does not normally request, the blog post said. This included permission to access location data; to read and send SMS messages; to record screen captures and video; and to answer phone calls.  

After Parubets was released from custody he noticed unusual activity on his phone, including a notification that is not typically sent by his device.

Parubets says before the police seized his phone he and his spouse were beaten by Russian authorities and he was pressured to become an informant or face life in prison. 

He became even more afraid once he realized Russian police could see everything in his phone. 

“Every day we lived in constant stress,” he told Recorded Future News in an interview. “I know with my devices impacted people could know everything about me.”

He is now living in exile for safety reasons, but says he was terrified when he was contending with the incident while still in Russia.

“They do almost everything they want because the possibilities of the Russian special service are unlimited,” he said. “I knew information about their methods of work, about violence, tortures, threats and so on. Mentally, it was really difficult.”

The Citizen Lab conducted the technical investigation after First Department — a Russian legal assistance group Parubets sought help from — discovered the malicious app, which Parubets had not installed.

Updated 12/6 with additional details from Parubets.