КГБ, Минск. Фото: Reform.news
The Digital Security Lab (DSL) of Reporters Without Borders (RSF), together with the Eastern European NGO RESIDENT.NGO, has identified spyware that the Belarusian KGB uses to monitor journalists and activists. According to experts, the software has likely been in use for at least four years.
After its discovery, the spyware was named ResidentBat. It targets Android smartphones and tablets and provides access to sensitive data. Installation of the software requires physical access to the device.
“After installation, ResidentBat allows access to call logs, microphone recordings, SMS messages, messages from encrypted messengers, and local files”, RSF said in its investigation.
ResidentBat was discovered on the phone of a journalist who had previously been interrogated by the KGB. RSF did not disclose the journalist’s name for security reasons. The date of the interrogation was not specified.
The interrogation took place in a KGB building. The journalist was asked to leave the phone in a storage locker. During questioning, he was asked to unlock the phone in the presence of an officer and show some of its contents. The phone was then returned to the locker. The journalist and RSF specialists believe that KGB officers observed the unlock code and installed the spyware while the interrogation continued.
Several days later, an antivirus application on the phone issued an alert about suspicious software. The phone’s owner contacted RESIDENT.NGO, which analyzed the device together with the RSF Digital Security Lab.
RSF identified several versions of ResidentBat that were likely used by the same organization. The oldest version dates back to 2021. Parts of the code contain English-language text. Experts suggest that the product may have been developed for use beyond Belarus or commissioned from a third party.
RSF has forwarded the results of its investigation to Google.
“As an additional protective measure for individuals targeted by surveillance, the technology giant will send a “government-backed attack” notification to all Google users whom the company has identified as targets of this spyware campaign”, RSF said.