A programmer said the Russian Federal Security Service (FSB) installed spyware on his Android phone after he was detained in Moscow earlier this year. Security researchers confirmed that his phone had spyware installed, likely when the authorities had physical access to his phone and had forced him to give up his passcode.
For the programmer Kirill Parubets, it was a terrifying and traumatic ordeal. But thanks to his computer expertise and vigilance, his story offers a rare first-hand account of Russian authorities deploying spyware on one of its citizens — not by using a technically advanced remote hacking attack, but with a more crude approach.
Parubets is a Russian systems analyst who identifies as having Ukrainian heritage, calls himself “an opposition political activist,” and has lived in Ukraine since 2020. Parubets says he has volunteered and given financial and humanitarian aid to Ukrainians after Russia’s full-scale invasion in 2022.
Parubets said he and his wife travelled back to Russia in 2023 to deal with some paperwork, as they were trying to get Moldovan citizenship, which would have allowed them to remain in Ukraine.
On April 18, 2024, six FSB agents armed with machine guns burst into Parubets and his wife’s apartment in Moscow at around 6:30 in the morning. “They threw us to the floor, they dragged my wife into a small room, I was lying in the hallway. They didn’t let us get dressed,” according to his recollection of the events, which Parubets wrote in a document he shared with TechCrunch.
The agents asked him about transfers of money to Ukrainians, as well as about a friend of Parubets, whom he calls using the nickname Ivan Ivanov. (Parubets says he changed Ivan’s name to protect him.)
“What’s your f—king password?” one of the agents asked Parubets when they picked up his Android phone, according to his recollection of the events. Intimidated, Parubets said he gave away its password.
On the same day, Parubets said he and his wife were arrested and sentenced to 15 days of administrative arrest. While in detainment, where he said he was also beaten, Parubets said FSB officers visited him and asked about his volunteer activities and donations in Ukraine, as well as donations he made in the name of his friend Ivanov, which they claimed could be classified as treason. Then the FSB officers, according to Parubets, asked him to spy on Ivanov, whom they said had communicated with Ukraine’s Special Services.
“They threatened me and said that they would put me and my wife in prison for life if I did not provide them with assistance,” said Parubets.
That’s why Parubets said he decided to tell the agents he would agree to help them, even though he was not actually planning to do it.
Then, on May 3, Parubets said he and his wife were released and he went to get their belongings back, including his Android phone. Parubets said he shortly after noticed a strange notification that said “Arm cortex vx3 synchronization,” then disappeared and rebooted the phone.
At that point Parubets, who has an interest in cybersecurity, said he inspected his phone and found a suspicious app that had several permissions granted access to a trove of personal data on the phone. At that point, Parubets said he reached out to First Department, a legal assistance organization. The organization in turn reached out to Citizen Lab, a security research and internet watchdog at the University of Toronto, to analyze the suspicious app.
According to a new Citizen Lab report out Thursday, authored by Cooper Quintin, Rebekah Brown, and John Scott-Railton, the app was indeed spyware.
The researchers said that the suspicious app identified by Parubets appeared to be “a trojanized version of the genuine Cube Call Recorder application,” a legitimate call recorder app.
According to the report, the fake app was able to access location information, read and send text messages, install other applications, read the calendar, take screenshots and record from the video camera, see a list of other applications, answer phone calls, and view user account details — all permissions that the real Cube Call Recorder does not have.
The developers of Cube Call Recorder did not respond to a request for comment.
Technical experts at First Department, as well as Citizen Lab, believe the spyware is a new version of a malware called Monokle, based on several similarities that the spyware used against Parubets has compared to a previous version of the malware. Monokle was analyzed in 2019 by cybersecurity firm Lookout. At the time, Lookout concluded that Monokle was developed by Special Technology Centre, a St. Petersburg company that has been sanctioned by the U.S. government and other countries for providing technological assistance to the Russian government in its spying activities.
The Russian Embassy in Washington DC, as well as the press office of the Russian government, did not respond to a request for comment. Neither did the sanctioned Special Technology Centre.
For Quintin, one of the researchers who analyzed the malware, judging from the functionalities of the spyware found on Parubets’ phone, as well as the previous version analyzed by Lookout, “this malware has been professionally crafted over a number of years.”
Quintin said that Parubet’s story is a reminder that spyware attacks don’t have to be performed for afar, like those done with spyware made by NSO Group, for example.
“People spend a lot of time thinking about zero-click exploits and zero-day attacks but tend to forget that someone with physical access to your phone who can compel you to unlock it with violence or the threat of violence is just as likely of a risk,” Quintin told TechCrunch.
In the report, Quintin and his colleagues concluded that “any person whose device was confiscated by a security service should assume that the device can no longer be trusted.”
Dmitry Zair-Bek, the head of the First Department human rights project, called out the Russian government and warned that what happened to Parubets may happen to others.
“We have expected that something similar to the case of Kirill Parubets might begin to happen just because this perfectly aligns with the logic of Russian special services. The scale of the repression is truly terrifying, and a major issue is that there are no longer any ‘red lines’ of what is permissible,” Zair-Bek told TechCrunch. “In addition to Ukrainians, citizens of Western countries visiting Russia are in a particularly high-risk group. They are a tempting target for recruitment and potential imprisonment as hostages.”
After being released, Parubets said he and his wife have left Russia. In an ironic twist, his spyware-ridden phone may have helped him escape, as he left it back in Moscow.
“I needed to pretend I am still in Moscow,” Parubets said. “To win some time.”
