RSF uncovers new spyware from Belarus

Spyware masquerading as a regular app

Res­i­dent­Bat was detect­ed on the smart­phone of a jour­nal­ist who had been ques­tioned by the KGB. RSF has ver­i­fied the person’s iden­ti­ty but is not pub­lish­ing it for secu­ri­ty rea­sons.

Before the inter­ro­ga­tion at KGB premis­es, the indi­vid­ual was asked to place the smart­phone in a lock­er. Dur­ing ques­tion­ing, the jour­nal­ist was required to show con­tent on the device and unlocked the phone in an officer’s pres­ence. After­wards, the device was placed in the lock­er again. The indi­vid­ual and RSF believe that the secu­ri­ty forces observed the PIN entry, retrieved the phone dur­ing the inter­ro­ga­tion and installed the spy­ware.

A few days lat­er, antivirus soft­ware flagged sus­pi­cious com­po­nents on the device. The indi­vid­ual con­tact­ed RESIDENT.NGO, which car­ried out a foren­sic analy­sis togeth­er with RSF’s DSL.

In use for years

By com­par­ing sam­ples on an antivirus plat­form, RSF’s DSL iden­ti­fied addi­tion­al Res­i­dent­Bat vari­ants like­ly used by the same actor. One analysed ver­sion dates back to 2021. RSF there­fore believes that the KGB has been using the spy­ware for at least four years. RSF has shared the result of its research with Google. In order to fur­ther pro­tect tar­get­ed indi­vid­u­als, the tech giant will send a “gov­ern­ment-backed attack” threat noti­fi­ca­tion to all Google users who were iden­ti­fied by Google as tar­gets of this spy­ware cam­paign.

It is not yet clear who devel­oped Res­i­dent­Bat. Parts of the code con­tain Eng­lish-lan­guage strings, sug­gest­ing it may be a prod­uct not designed exclu­sive­ly for use in Belarus, or devel­oped by a third par­ty. 

The full tech­ni­cal report is avail­able here.