OP 05 December, 2024 - 09:17 PM
Russian authorities installed spyware on the phone of Kirill Parubets, a systems analyst with Ukrainian roots, after he was detained in Moscow in April 2024. According to Parubets, his phone was infected with spyware, likely when he was forced to give up his password under threat of violence. The case provides a unique insight into the practices of Russian intelligence agencies, which do not use the most high-tech methods to spy on their citizens, but rather resort to simple but effective methods.
How it all began
Kirill Parubets is a Russian systems analyst who identifies as Ukrainian. He has lived in Kiev since 2020, actively supporting Ukraine in its fight against Russian aggression, providing both financial and humanitarian aid. In 2023, he and his wife decided to return to Russia to resolve issues related to obtaining Moldovan citizenship in order to remain in Ukraine. However, their return to Russia turned into a tragedy for them.
On April 18, 2024, at 6:30 a.m., six FSB officers with weapons burst into their Moscow apartment. According to Parubets, the security forces beat him and his wife, separated them, and began interrogating them. They asked questions about money transfers to Ukraine and his friend Ivanov, who, as it turned out, was also of interest to the special services. During the interrogation, Parubets was demanded to give the password to his phone. Under threat of violence, he gave up his code.
Transfer to prison and recruitment
Soon, Kirill and his wife were detained and sentenced to 15 days of administrative arrest. During his detention, Parubets experienced not only physical violence, but also psychological pressure, when FSB officers began threatening them with prison time for helping Ukraine. The security services demanded that Parubets cooperate with them by providing information about his friend Ivanov, who, according to the FSB, was communicating with the Ukrainian security services. The threats continued, and in order to save himself and his wife, Kirill agreed to cooperate with the FSB, although in reality he had no intention of fulfilling their demands.
Infected phone
After Kirill and his wife were released, they decided to take their things from the confiscated apartment, including Kirill's phone. However, he soon noticed strange activity on the device: an unfamiliar notification appeared with the text "Arm cortex vx3 synchronization", which disappeared, and then the phone rebooted.
Kirill, who has experience in information security, immediately began checking his device and discovered a suspicious application that had access to a lot of personal data on his phone. He contacted the human rights organization First Department , which turned to Citizen Lab, a research group specializing in security, for help.
Citizen Lab Research
Citizen Lab experts confirmed that the discovered app was spyware. It was a modified version of the Cube Call Recorder app, a regular call recording app that, in Kirill’s case, had a number of additional features. It could receive location information, read and send text messages, record video and take screenshots, as well as install other apps and monitor the user’s actions.
Research also showed that the program was a new version of the Monokle virus, one of the most famous spyware programs developed for Russian intelligence agencies. According to the researchers, Monokle was created by the Special Technology Center from St. Petersburg, which has previously been accused of helping Russian intelligence services.
Lessons from this case
For experts like Cooper Quintin of Citizen Lab, the case is an important reminder that spyware attacks don’t always happen through sophisticated remote-control hacking. Sometimes, simply gaining physical access to a person’s phone is enough to install spyware. While less technical, the practice has its dangers.
“A lot of people think that spyware attacks are always about exploits and zero days, but what they don’t realize is that someone who can force you to unlock your phone under threat of violence is just as dangerous,” Quintin said.
Conclusions
Experts say anyone whose device has been confiscated by security forces should consider it compromised and no longer trust its security. The case also raises important questions about the scale of repression in Russia and the potential threat to citizens who come to the attention of the security services. Dmitry Zair-Bek, head of the human rights organization Perviy Otdel , stressed that such actions are becoming increasingly common, and there is concern that they could affect more people, especially those traveling to Russia from Western countries or Ukraine.
Kirill Parubets and his wife were able to leave Russia, and this was apparently made possible by Kirill leaving his infected phone in Moscow to create the impression that he was staying in the country.
In the report, Quintin and his colleagues concluded that “anyone whose device has been confiscated by the security services should assume that their device can no longer be trusted.”
Dmitry Zair-Bek, head of the human rights project First Department, condemned the Russian government and warned that what happened to Parubets could happen to others.
“We expected that something similar could happen to Kirill Parubets, because it perfectly fits the logic of the Russian secret services. The scale of the repression is really frightening, and the main problem is that there are no longer any ‘red lines’ of what is allowed,” Zair-Bek told TechCrunch. “In addition to Ukrainians, citizens of Western countries who visit Russia are at increased risk. They are an attractive target for recruitment and potential detention as hostages.”
After his release, Parubets said he and his wife left Russia. In an ironic twist, his spyware-enabled phone may have helped him escape, since he left it in Moscow.
“I needed to pretend that I was still in Moscow,” Parubets said. “To buy time.”
source: https://techcrunch.com/2024/12/05/russia...oid-phone/
![[Image: Capture-d-cran-2025-01-13-134003.png]](https://i.ibb.co/yqTM0D0/Capture-d-cran-2025-01-13-134003.png)
How it all began
Kirill Parubets is a Russian systems analyst who identifies as Ukrainian. He has lived in Kiev since 2020, actively supporting Ukraine in its fight against Russian aggression, providing both financial and humanitarian aid. In 2023, he and his wife decided to return to Russia to resolve issues related to obtaining Moldovan citizenship in order to remain in Ukraine. However, their return to Russia turned into a tragedy for them.
On April 18, 2024, at 6:30 a.m., six FSB officers with weapons burst into their Moscow apartment. According to Parubets, the security forces beat him and his wife, separated them, and began interrogating them. They asked questions about money transfers to Ukraine and his friend Ivanov, who, as it turned out, was also of interest to the special services. During the interrogation, Parubets was demanded to give the password to his phone. Under threat of violence, he gave up his code.
Transfer to prison and recruitment
Soon, Kirill and his wife were detained and sentenced to 15 days of administrative arrest. During his detention, Parubets experienced not only physical violence, but also psychological pressure, when FSB officers began threatening them with prison time for helping Ukraine. The security services demanded that Parubets cooperate with them by providing information about his friend Ivanov, who, according to the FSB, was communicating with the Ukrainian security services. The threats continued, and in order to save himself and his wife, Kirill agreed to cooperate with the FSB, although in reality he had no intention of fulfilling their demands.
Infected phone
After Kirill and his wife were released, they decided to take their things from the confiscated apartment, including Kirill's phone. However, he soon noticed strange activity on the device: an unfamiliar notification appeared with the text "Arm cortex vx3 synchronization", which disappeared, and then the phone rebooted.
Kirill, who has experience in information security, immediately began checking his device and discovered a suspicious application that had access to a lot of personal data on his phone. He contacted the human rights organization First Department , which turned to Citizen Lab, a research group specializing in security, for help.
Citizen Lab Research
Citizen Lab experts confirmed that the discovered app was spyware. It was a modified version of the Cube Call Recorder app, a regular call recording app that, in Kirill’s case, had a number of additional features. It could receive location information, read and send text messages, record video and take screenshots, as well as install other apps and monitor the user’s actions.
Research also showed that the program was a new version of the Monokle virus, one of the most famous spyware programs developed for Russian intelligence agencies. According to the researchers, Monokle was created by the Special Technology Center from St. Petersburg, which has previously been accused of helping Russian intelligence services.
Lessons from this case
For experts like Cooper Quintin of Citizen Lab, the case is an important reminder that spyware attacks don’t always happen through sophisticated remote-control hacking. Sometimes, simply gaining physical access to a person’s phone is enough to install spyware. While less technical, the practice has its dangers.
“A lot of people think that spyware attacks are always about exploits and zero days, but what they don’t realize is that someone who can force you to unlock your phone under threat of violence is just as dangerous,” Quintin said.
Conclusions
Experts say anyone whose device has been confiscated by security forces should consider it compromised and no longer trust its security. The case also raises important questions about the scale of repression in Russia and the potential threat to citizens who come to the attention of the security services. Dmitry Zair-Bek, head of the human rights organization Perviy Otdel , stressed that such actions are becoming increasingly common, and there is concern that they could affect more people, especially those traveling to Russia from Western countries or Ukraine.
Kirill Parubets and his wife were able to leave Russia, and this was apparently made possible by Kirill leaving his infected phone in Moscow to create the impression that he was staying in the country.
In the report, Quintin and his colleagues concluded that “anyone whose device has been confiscated by the security services should assume that their device can no longer be trusted.”
Dmitry Zair-Bek, head of the human rights project First Department, condemned the Russian government and warned that what happened to Parubets could happen to others.
“We expected that something similar could happen to Kirill Parubets, because it perfectly fits the logic of the Russian secret services. The scale of the repression is really frightening, and the main problem is that there are no longer any ‘red lines’ of what is allowed,” Zair-Bek told TechCrunch. “In addition to Ukrainians, citizens of Western countries who visit Russia are at increased risk. They are an attractive target for recruitment and potential detention as hostages.”
After his release, Parubets said he and his wife left Russia. In an ironic twist, his spyware-enabled phone may have helped him escape, since he left it in Moscow.
“I needed to pretend that I was still in Moscow,” Parubets said. “To buy time.”
source: https://techcrunch.com/2024/12/05/russia...oid-phone/