Overview
- Reporter ohne Grenzen’s Digital Security Lab and RESIDENT.NGO analyzed a journalist’s phone after a KGB interrogation and identified the previously unknown spyware dubbed ResidentBat.
- The malware targets Android devices and can capture call and microphone recordings, screen activity, SMS, content from encrypted messengers, location data, and local files at the device level.
- Installation requires physical access to an unlocked phone, with RSF reconstructing a scenario in which officers observed the PIN and manually installed the app while the device was stored during questioning.
- Code comparisons linked related variants to 2021, suggesting multi-year use, while English-language strings point to an unknown developer and the possibility of commercial or external origins.
- RSF shared findings with Google, which will warn likely targets of government-backed attacks, and recommended mitigations including airplane mode, checking accessibility permissions, and using Android’s Advanced Protection Mode.