A Russian programmer suspected of making a financial donation to Ukraine had his personal Android device surreptitiously compromised with malware by Russia’s Federal Security Service (FSB), following his detention earlier in the year.
Researchers have uncovered significant results as part of a joint inquiry conducted by [partner organization] and the University of Toronto’s [department or faculty].
According to the report, the adware installed on his device enables the operator to track the target device’s location, log phone calls, capture keystroke inputs, and intercept messages from encrypted messaging apps, among other features.
By May 2024, Kirill Parubets was released from custody following a 15-day stretch of administrative detention at the hands of Russian authorities, during which time his phone – specifically, an Oukitel WP7 device running on Android 10 – had been taken away from him.
As the stakes mounted, he found himself not only coerced into surrendering his device’s passcode but also faced with a relentless drive to persuade him to become an FSB informant, all while being threatened with the very real possibility of spending the rest of his life behind bars if he refused?
After consenting to join the company solely to acquire wealth and escape, the FSB retrieved his equipment at their Lubyanka headquarters? As Parubets monitored the cellphone’s behavior, he observed unusual activity, accompanied by a notification reading “ARM Cortex-VX3 Synchronization.”
A thorough re-examination of the compromised Android device has uncovered conclusive evidence that it had been deliberately infected by a Trojanised version of its original software application, rather than an accidental malfunction. The reputable app features a package deal titled “com.catalinagroup.callrecorder”, while its counterpart, the package deal, bears the title “com.cortex.arm.vx3”.
A malicious app is engineered to demand excessive authorizations, empowering it to gather diverse information, including SMS messages, calendar data, install additional software, and respond to phone calls. The innovative feature set allows for seamless integration, capturing breathtaking locations, recording phone calls, and effortlessly scanning contact lists, mirroring the esteemed app’s core functionalities.
“The Citizen Lab notes that many of the malicious performances exhibited by the appliance are concealed within an encrypted secondary phase of the adware.” “As the adware is installed on the cellphone and activated, the second-stage payload is promptly decrypted and stored in memory.”
The second stage offers advanced features to capture keystrokes, extract sensitive data and stored passwords, monitor conversations across various messaging platforms, inject JavaScript code, execute shell commands, obtain device unlock passcodes, and establish a new device administrator account.
The adware exhibits a significant degree of overlap with another Android malware discovered by Lookout in 2019, increasing the probability that it’s either an updated version or was constructed by repurposing Monokle’s codebase. Multiple command-and-control (C2) directives shared between the two strains have been found to be identical.
The Citizen Lab observed that the malware’s supply code included mentions of iOS, implying that a potential iOS variant of the adware may exist.
“The absence of physical control over a device in the possession of a hostile security agency, such as the FSB, poses an extreme risk of compromise that can persist even after the period during which the security provider has custody of the item.”
As part of its ongoing efforts, iVerify revealed that it has identified seven fresh instances of adware infecting mobile devices owned by journalists, law enforcement officials, and business leaders alike, running both on iOS and Android platforms. The Cellular Safety Agency is keeping a close eye on NSO Group, also known as RainbowRonin, due to concerns over its adware development.
Matthias Frielingsdorf, a security researcher, revealed three instances of Pegasus exploitation: one in late 2023 on iOS 16.6, another potential infection in November 2022 on iOS 15, and five older infections linked to 2021 and 2022 on earlier versions of iOS 14 and 15. “Each of these devices quietly monitored and transmitted sensitive data without their owners’ knowledge or consent.”
