Threats

How a Russian man’s harrowing tale shows the physical dangers of spyware

Citizen Lab and a Russian exile-led human rights group investigated spyware implanted on his phone after he was detained, beaten up and released.

By Tim Starks

December 5, 2024

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

(Getty)

Kirill Parubets was, entirely understandably, afraid.

Six or seven Russian police officers had knocked on his Moscow apartment door in April, entered while wearing masks and holding automatic weapons, and started interrogating him about how he and his wife had helped supply aid to people in Ukraine suffering from the war’s devastation.

The police beat him and his spouse badly enough that he has lost hearing in his right ear. As of Wednesday in an interview with CyberScoop, he added that he was still suffering from insomnia and head and neck pain, the latter from his subsequent two-week imprisonment. They stationed him near a cold window without clothes, made him sing the national anthem of the Russian Republic, forced him to sit and stand repeatedly, and threatened to kill him and his wife.

While in a detention center after signing a statement to accept a 15-day administrative detention penalty, two people in black suits offered him a deal: Spy on a friend about his contacts with the Ukrainian special services or spend 20 years in prison. Parubets agreed, hoping to buy his spouse and himself some time to get away.

He then received an odd notification on his phone, which made him — an IT specialist and programmer — suspicious. He believed that when the authorities had taken his device and forced him to give up the credentials, they loaded it with spyware before returning it to him at the Lubyanka building, the headquarters of the Russian Federal Security Service, more commonly known as the FSB.

That brought on another wave of “real fear,” he said. “You understand that every step is under control,” he said. “And you know if you try to do something with your phone, they know about that immediately.”

He exported data from his device and left his phone in Moscow as he escaped with his wife, fearing even at the border that he might be stopped before boarding a plane. He then contacted the Russian exile-led human rights group First Department with the exported information. Collaborating with the University of Toronto’s Citizen Lab, they confirmed his suspicions: His phone had indeed been infected with spyware.

Citizen Lab on Wednesday released a report on Parubets’ story and that infection. It’s a lesson, they say, about how having one’s device confiscated — and especially when being compelled to hand over passcodes — can be another vector for spyware infection.

“People spend a lot of time thinking about zero-click exploits and zero-day attacks, but they tend to forget that somebody with physical access to your phone who can compel you to unlock it with violence, or even the threat of violence, is just as much of a threat, if not more so,” said Cooper Quintin, a research fellow at Citizen Lab and co-author of the report.

It’s something that poses a threat to nearly anyone, he said.

“We want people to be aware of this attack vector, to not ignore the attack vector of the police,” Quintin said. “There’s a similar attack vector of an abusive partner who has your phone and can compel you to unlock it, which people in abusive relationships have been aware of for a very long time.”

The Citizen Lab analysis found that the phone was likely infected with a trojanized application called Cube Call Recorder, a genuine app that had been implanted with malicious functionalities. It was similar to the Monokle spyware family, first identified by Lookout Mobile Security in 2019 and attributed to a Russian government contractor. Citizen Lab determined that it could access Parubets’ location data, record video with the phone camera and audio of phone calls — even answering phone calls on his behalf.

Quintin said it’s a “full-featured” malware, with “some esoteric features,” like placing phone calls on one’s behalf and live-streaming audio from one’s phone. The investigation also found hints in the code that there’s an iOS version of the Android malware, he said.

Russia routinely denies any cyber malfeasance. The BBC reported in September that the Kremlin had not yet commented publicly on United Nations allegations of rising human rights abuses since the invasion of Ukraine.

The lesson others can take from Parubets’ story, according to Quintin, is “as far as what people should do if your phone is seized by government agents and unlocked, you should immediately distrust that phone in the future,” he said. “And if you can find somebody to take a look at it — yeah, find a security professional to take a look at it.”

Despite his fear upon discovering the apparent spyware, Parubets said he felt a sense of pride to have figured out what was happening. He’s not sure why the spyware was implanted on his phone; perhaps the authorities didn’t realize he was a programmer who would notice something unusual about a simple notification like “Arm cortex vx3 synchronization.” He also alternatively suggested that the process of loading malware onto a captive’s phone is just standard in Russia under such circumstances.Either way he suspects they wanted to make sure that if he did decide to escape, the spyware-infected phone could have been used to monitor him.

Parubets isn’t sure the unnamed country where he’s currently located is all that safe, because Russia has proven its ability to reach targets across the border. But he still wanted to speak out.

“I think it’s very important that all people know the truth,” he said. “All people should know about the criminals of the Russian regime, with Russia trying to threaten people, to torture people, to try to spy on them, install viruses on their phone. … Maybe one day it will help to change something in Russia.”