Full Report
A Russian programmer accused of donating money to Ukraine had his Android device secretly implanted with spyware by the Federal Security Service (FSB) after he was detained earlier this year. The findings come as part of a collaborative investigation by First Department and the University of Toronto's Citizen Lab. "The spyware placed on his device allows the operator to track a target device's
Analysis Summary
# Threat Actor: Federal Security Service (FSB) State Actor
## Attribution & Identity
- **Attribution:** Attributed to the Federal Security Service (FSB) of Russia.
- **Known Aliases and Associations:** Associated with state-sponsored surveillance activities targeting individuals critical of the regime. The operation was discovered through collaboration between First Department and the University of Toronto's Citizen Lab.
## Activity Summary
In May 2024, the FSB detained a Russian programmer, Kirill Parubets, who was accused of supporting Ukraine through financial donations. During a 15-day administrative detention period, his Oukitel WP7 Android phone was confiscated. Following intense coercion (physical beating and threats of life imprisonment), Parubets agreed to work for the FSB as an informant. After his release, the FSB returned the device, which had been implanted with spyware disguised as a legitimate application.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Physical seizure of the device during detention, followed by trojanization of an application.
- **Supply Chain Compromise (Trojanization):** The legitimate "Cube Call Recorder" application (package name `com.catalinagroup.callrecorder`) was replaced or modified with a rogue counterpart (`com.cortex.arm.vx3`).
- **Persistence/Execution:** The trojanized app was installed on the victim's Android 10 device.
- **Data Exfiltration/Espionage Capabilities:** The spyware is capable of:
- Tracking device location.
- Recording phone calls.
- Recording keystrokes.
- Reading messages from encrypted messaging apps.
- Accessing SMS messages and calendar data.
- Installing additional packages.
- Answering phone calls covertly.
- Reading contact lists.
## Targeting
- **Sectors:** Individuals perceived as political dissidents or opponents of the Russian government's actions (e.g., supporting Ukraine).
- **Geography:** Russia (Victim detained and operated upon in Russia).
- **Victims:** Specifically identified victim: Russian programmer Kirill Parubets.
## Tools & Infrastructure
- **Malware Families Used:** A custom spyware/trojan variant that mimics the functionality of "Cube Call Recorder." The distinctive package name associated with the malicious payload is `com.cortex.arm.vx3`. The application occasionally displayed a notification: "Arm cortex vx3 synchronization."
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the summary, though the operation was coordinated by the FSB and involved returning the device from their Lubyanka headquarters.
## Implications
This case demonstrates the FSB's direct, coercive methods for compromising personal devices after detention. It highlights the use of **physical access and forced compromise** against individuals deemed politically sensitive, leveraging trojanized popular applications to maintain long-term, comprehensive surveillance capability post-release. This poses a significant risk to political activists, journalists, and dissidents operating within or targeted by the Russian state apparatus.
## Mitigations
- Avoid using devices confiscated by state security services, even if returned.
- Employ strong device encryption and utilize physical security measures during detention where possible.
- Disable installation from unknown sources on Android devices.
- Be highly suspicious of applications requesting excessive or unusual permissions, especially if they impersonate legitimate, established software.
- Regularly audit application package names for official updates vs. unexpected variations.