One programmer said Russia's Federal Security Service (FSB) installed spyware on his Android phone after he was detained in Moscow earlier this year. Security researchers confirmed that spyware was installed on his phone, presumably when authorities physically accessed his phone and forced him to give up his passcode.
For programmer Kirill Parvets, it was a horrifying and traumatic ordeal. However, thanks to his computer expertise and vigilance, his story suggests that rather than using technologically advanced remote hacking attacks, Russian authorities used a cruder approach to It provides valuable first-hand accounts of deploying spyware on one person.
Parvets is a Russian systems analyst who identifies as of Ukrainian descent, calls himself an “opposition political activist,” and has lived in Ukraine since 2020. Parvets said he volunteered to provide economic and humanitarian aid to Ukrainians after Russia's full-scale invasion of Ukraine. 2022.
Parvets said he and his wife returned to Russia to complete paperwork in an attempt to obtain Moldovan citizenship that would allow them to remain in Ukraine in 2023.
On April 18, 2024, at around 6:30 a.m., six FSB agents armed with machine guns burst into the Parvets' apartment in Moscow. “They threw us on the floor, dragged my wife into a small room, and I was lying in the hallway. They wouldn't let us change our clothes,” Parvetz said in a document shared with TechCrunch. According to his written recollection of the events, he says:
Investigators asked him about sending money to Ukrainians and about a friend of Mr. Parvets, whom he nicknamed Ivan Ivanov. (Parvetz said he changed his name to protect Ivan.)
“What's your password?” one of the agents asked Parvetz when she received her Android phone, according to a recollection of the incident. Parvetz said he gave the password after being threatened.
On the same day, Parvetz announced that he and his wife had been arrested and sentenced to 15 days of administrative arrest. Parvets said he was assaulted while in custody, and that FSB agents visited him and asked him about his volunteer work and donations in Ukraine, as well as donations he had made in the name of his friend Ivanov. Rebellion. Parvets said FSB officials then asked him to spy on Ivanov, who then contacted Ukrainian special services.
“They threatened me and said that if I did not support them, they would send me and my wife to life imprisonment,” Parvetz said.
That's why Parvetz said he decided to tell the agents he agreed to help, even though he didn't actually intend to do so.
Later, on May 3, Parvetz said he and his wife were released and went to retrieve their belongings, including an Android phone. Parvetz said he noticed a strange notification saying “Arm Cortex vx3 synchronization” shortly after, then it disappeared and he restarted his phone.
At that point, Mr. Parvetz, who is interested in cybersecurity, said that when he checked his phone, he discovered a suspicious app with several permissions that allowed access to a large amount of personal data on the phone. said. At that point, Parvetz said he contacted the First Department, a legal aid organization. The organization then contacted Citizen Lab, a security research and internet monitoring agency at the University of Toronto, to analyze the suspicious apps.
The app was indeed spyware, according to a new Citizen Lab report published Thursday by Cooper Quintin, Rebecca Brown, and John Scott Railton.
Researchers said the suspicious app identified by Parubets appears to be a “trojanized version of the genuine Cube Call Recorder application,” a legitimate call recording app.
According to the report, the fake app can access your location, read and send text messages, install other applications, read your calendar, take screenshots and record from your video camera, display a list of other applications, Answer calls and view user account details — all privileges not found in the actual Cube Call Recorder.
The developer of Cube Call Recorder did not respond to a request for comment.
Technical experts at First Division and Citizen Lab believe that the spyware used against Parubets is a new version of the malware called Monokle, based on several similarities compared to previous versions of the malware. I'm thinking. Monokle was analyzed by cybersecurity firm Lookout in 2019. Lookout concluded at the time that the Monocle was developed by Special Technology Center, a St. Petersburg company that has been sanctioned by the U.S. government and other countries for providing technical assistance to Russian government espionage efforts. .
The Russian embassy in Washington, D.C., and the Russian government press office did not respond to requests for comment. The same was true for authorized special technology centers.
Quintin, one of the researchers who analyzed the malware, said that judging by the spyware's features found on Parvetz's phone and the previous versions analyzed by Lookout, “this malware has been professionally created over many years. It is what was done.”
Quintin said Parvet's story is a reminder that spyware attacks don't have to go as far as, say, those created by NSO Group.
“People spend a lot of time thinking about zero-click exploits and zero-day attacks, but it's just as likely that someone with physical access to your phone will force you to unlock it with violence or threats of violence. “It's easy to forget that it's expensive,” Quintin told TechCrunch.
“A person whose device is confiscated by a security service should assume that the device is no longer trustworthy,” Quintin et al. conclude in their report.
Dmitry Zail Bek, head of the First Department's human rights project, called out the Russian government and warned that what happened to Parvets could happen to others.
“We expected that something similar to the Kirill Parvets incident might begin to happen simply because it is completely in line with the logic of Russian special forces. The scale of the repression is truly frightening. “The big problem is that there is no longer a 'red line' of what is acceptable,” Zaierbeck told TechCrunch. “In addition to Ukrainian nationals, Western nationals visiting Russia also belong to a particularly high-risk group. They are attractive targets for recruitment and may even be imprisoned as hostages.”
Parvets said he left Russia with his wife after his release. Ironically, leaving his spyware-laden cell phone behind in Moscow may have helped him escape.
“I had to pretend I was still in Moscow,” Parvets said. “To win someday”