{
	"id": "3935ed06-f233-44ac-92d3-9c1b6a70d89f",
	"created_at": "2026-04-06T00:06:15.090633Z",
	"updated_at": "2026-04-10T03:21:43.94337Z",
	"deleted_at": null,
	"sha1_hash": "16919547cd9ff6a159e75caeef62775c9eff1722",
	"title": "Something to Remember Us By: Device Confiscated by Russian Authorities Returned with Monokle-Type Spyware Installed - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 212660,
	"plain_text": "Something to Remember Us By: Device Confiscated by Russian\r\nAuthorities Returned with Monokle-Type Spyware Installed - The\r\nCitizen Lab\r\nArchived: 2026-04-05 21:51:09 UTC\r\nKey Findings \r\nThis joint investigation with First Department, a legal assistance organization, found spyware covertly\r\nimplanted on a phone returned to a Russian programmer accused of sending money to Ukraine after he was\r\nreleased from custody.\r\nHe describes being subjected to beatings and an intense effort to recruit him as an informant for the\r\nRussian Federal Security Service (FSB).\r\nOur analysis finds that the spyware placed on his device allows the operator to track a target device’s\r\nlocation, record phone calls, keystrokes, and read messages from encrypted messaging apps, among other\r\ncapabilities.\r\nThe spyware bears many similarities to the Monokle family of spyware, previously reported on by Lookout\r\nMobile Security, which they attribute to the “Special Technology Center,” a contractor to the Russian\r\ngovernment. \r\nOur analysis also finds certain differences from previously-reported samples of Monokle spyware,\r\nsuggesting that it is either an updated version of Monokle or new software created by reusing much of the\r\nsame code. \r\nRead the full report by The First Department here and watch the video.\r\nIntroduction\r\nThe First Department is a legal assistance organization founded by exiled Russian human rights lawyer Ivan\r\nPavlov that specializes in defending those accused of treason and espionage in Russia. Pavlov left Russia in\r\nSeptember 2021 after facing persecution for his legal work. The First Department plays an essential role in\r\nsupporting individuals targeted for repression by the Russian government. The organization has been headed by\r\nDmitry Zair-Bek since May 2022. \r\nIn June 2024, The First Department received a report from Kirill Parubets, a Russian programmer who was\r\nreleased from a 15-day period in administrative detention by Russian authorities. Parubets, who consented to\r\nbeing named in this report, was accused of engaging in money transfers to Ukraine. His Android device had been\r\nconfiscated at the time his apartment was searched, during which he was subjected to beatings, among other\r\nthings, to compel him to disclose his device password.\r\nBoth Parubets and his spouse were taken into custody and detained. During his detention, Parubets describes\r\nbeing subjected to an intense effort at recruitment as an informant by Russia’s Federal Security Service (the FSB).\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 1 of 16\n\nHe was threatened with life imprisonment if he failed to cooperate. The recruitment effort suggests a focused and\r\nongoing interest by FSB in his work and contacts, including in Ukraine.\r\nFollowing Parubets’ release from detention, his device was returned to him at the Lubyanka building, the FSB’s\r\nheadquarters. Parubets quickly began observing unusual behavior, including a suspicious notification “Arm cortex\r\nvx3 synchronization” on the device, which was an Oukitel WP7 running Android 10. This notification is not a\r\nstandard notification on this device.\r\nWorking with Parubets and his spouse, The First Department examined the device and identified a likely-malicious app that he had not installed, and that appeared to have been introduced onto the phone during his\r\ndetention. The First Department subsequently contacted the Citizen Lab for assistance with technical analysis. \r\nTechnical Analysis\r\nOur analysis confirms that the application identified by The First Department is malicious, and that it appears to\r\nbe a trojanized version of the genuine Cube Call Recorder application. The genuine (non-malicious) Cube Call\r\nRecorder is an app listed in the Google Play Store that is designed to allow an individual to automatically record\r\nincoming phone calls, as well as calls within messaging apps. \r\nThe SHA sum of the malicious version of the app:\r\nMalicious App SHA-256\r\n737f60749c1919ad22102be27d52ba199ec4b707a985c42011b22ce0a4512c90\r\nSpyware Functionality\r\nFirst Stage\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 2 of 16\n\nThere are some hints about the functionality of the spyware in the permissions requested by the trojanized app.\r\nThe spyware requests many permissions that the legitimate version of the application does not, including:\r\nAccess to location information when the application is not in use\r\nRead and send SMS messages\r\nInstall additional packages\r\nRead calendar entries\r\nRecord screen captures\r\nList other applications on the device \r\nAnswer phone calls \r\nGet account details \r\nRecord video with the camera  \r\nThe spyware also shares several permissions with the legitimate application (which are also common to spyware)\r\nsuch as: \r\nAccessing precise location \r\nRecording phone calls \r\nGetting information about the target’s contacts\r\nPermission\r\nTrojanized\r\nApp\r\nLegitimate\r\nApp\r\nAccessing fine location ✅ ✅\r\nRecording phone calls ✅ ✅\r\nGetting information about the target’s contacts ✅ ✅\r\nAccess to location information when the application is\r\nnot in use\r\n✅ ❌\r\nRead and send SMS messages ✅ ❌\r\nInstall additional packages ✅ ❌\r\nRead calendar entries ✅ ❌\r\nRecord screen captures ✅ ❌\r\nList other applications on the device  ✅ ❌\r\nAnswer phone calls ✅ ❌\r\nGet account details  ✅ ❌\r\nRecord video with the camera ✅ ❌\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 3 of 16\n\nTable 1\r\nDifferences in permissions between the spyware and the legitimate application it is disguised as.\r\nMost of the malicious functionality of the application is contained in the class com.android.twe1ve , a class that\r\nis unique to this sample of spyware and not present in the Cube Call Recorder app available in the Google Play\r\nStore. \r\nMost of the malicious functionality of the application is hidden in an encrypted second stage of the spyware. Once\r\nthe spyware is loaded onto the phone and executed, the second stage is decrypted and loaded into memory. This\r\ntype of obfuscation can help hide malicious activity from some antivirus software.\r\nThe second stage is a dex file encrypted using simple XOR encryption with a static repeating key. The second\r\nstage is stored in a data file called license located in the assets directory of the unpacked apk file. The java\r\nclass com.catalinagroup.callrecorder.App loads lib/arm64-v8a/library.so , which provides functionality\r\nfor com.system.info.Info to unpack the second stage. \r\nJava code to load the native ARM library which is responsible for unpacking the second stage of the spyware:\r\n static {System.loadLibrary(\"rary\"); }\r\nThe app then calls into the loaded library to extend the app by attaching assets/library as a base context.\r\nJava code to load the decrypted license file into memory in the context of the trojanized application: \r\n  public void attachBaseContext(Context context) {Info.get(context, \"license\"); super.attachBase\r\nSecond Stage \r\nThe second stage of the spyware contains additional core Android application libraries in the \r\ncom.android.twe1ve class, as well as importing other common cryptography and Android libraries. It also\r\nincludes several open source software libraries: an RTMP for real time audio/video streaming, and an SMB library\r\npresumably for uploading files taken from the device. \r\nThe second stage contains many common spyware capabilities, including:\r\nLocation Tracking \r\nScreen capture \r\nKeylogging \r\nRecording calls \r\nExtracting files from the device \r\nExtracting stored passwords \r\nReading messages from other messaging apps \r\nAdding a new device administrator\r\nInjection of Javascript \r\nExecuting shell commands \r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 4 of 16\n\nExtracting the device unlock password \r\nIt also contains functionality for decrypting settings and data files which are also stored in the assets directory in\r\nseemingly randomly named files.\r\nInterestingly, we find several references to iOS in the code, suggesting the possibility of an iPhone version of this\r\nspyware.\r\nReference to iOS permissions in the settings code:\r\nMwBi.MwLBLiL = new MwIN.MwKuK.MwKuK.MwIN.Mwuk(\"settingsName\", 11, 2);MwBi.MwiB = new MwIN.MwKuK.MwKuK.MwIN.Mwu\r\nThere are also commands from the command and control infrastructure referencing iOS: “ ShowiCloudLogin ”,\r\nand “ GetHealthKit .” These are the same references to iOS which were originally reported by Lookout in 2019. \r\nTechnical experts at The First Department suspected that this spyware might be related to the Monokle family of\r\nspyware, originally reported on by Lookout in 2019. Lookout described Monokle as advanced mobile spyware\r\nwith connections to Russian threat actors. At that time, Lookout linked Monokle to Special Technology Center,\r\nLtd., a company based in St. Petersburg, Russia. \r\nThroughout the analysis of the sample provided by The First Department we found key similarities to the original\r\nMonokle spyware sample, but also some differences, leading us to assess that this is either an updated version of\r\nMonokle, or that it has been created by reusing much of the original Monokle code.\r\nCommand \u0026 Control Similarities\r\nThe most compelling evidence that the app installed on the individual’s device is related to the Monokle sample\r\nfrom the 2019 Lookout report is the overlap in the commands issued by the command and control server,\r\nincluding many of the same exact strings. This sample and the 2019 sample both also use the string\r\nBaseSystemCommand as the prefix for all command strings, which appears to be unique to these two samples. \r\nOur Sample Lookout Monokle\r\nBaseSystemResponse_ExecuteShellCommand\r\nBaseSystemResponse_GetApplicationsList\r\nBaseSystemResponse_GetCallsList\r\nBaseSystemResponse_GetLocation\r\nBaseSystemResponse_GetScreenPassword\r\nBaseSystemResponse_GetSmsList\r\nBaseSystemResponse_InstallCertificate\r\nBaseSystemResponse_GetKeyLogging\r\nBaseSystemCommand_InstallApplication\r\nBaseSystemCommand_SetAudioRecordMode\r\nbaseSystem.executeShellCommand.\r\nbaseSystem.getApplicationsList\r\nbaseSystem.getCallsList\r\nbaseSystem.getLocation\r\nbaseSystem.getScreenPassword\r\nbaseSystem.getSmsList\r\nbaseSystem.installCertificate\r\nbaseSystem.getKeyLogging\r\nbaseSystem.installApplication\r\nbaseSystem.setAudioRecordMode\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 5 of 16\n\nTable 2\r\nSelected similarities between command and control commands.\r\nAdditionally, the same iOS-related commands present in this sample were also observed by Lookout in their 2019\r\nreport. \r\nAdditional Similarities\r\nThere are additional similarities between the sample identified by The First Department and the 2019 Monokle\r\nspyware sample. However, these additional similarities include several common tactics of spyware and would not\r\nbe as significant on their own without the unique Command \u0026 Control overlaps. \r\nUse of Similar Folders for Malware Staging\r\nThe sample identified by The First Department uses the assets folder for storing other stages of spyware and\r\nsettings, and decrypting that data with a static repeating XOR key. This is the same TTP used by Monokle\r\naccording to the report from Lookout. \r\nUse of Accessibility Settings and Other Similarities\r\nThe sample also makes use of accessibility settings, a feature noted in the Lookout report. Many of the other\r\ncapabilities present in this sample such as geofencing, streaming audio, gathering health kit data, and recording\r\nthe unlock screen password are all present in Lookout’s reporting on Monokle as well. \r\nTrojanization/Hijacking of Legitimate Applications\r\nThis spyware was packaged as a backdoored version of a legitimate application, which is a common technique.\r\nMonokle was also typically packaged as a trojanized version of a legitimate application. \r\nDifferences with the Lookout Monokle Sample\r\nAlthough the analysis found numerous similarities between this sample and the original reporting on Monokle,\r\nthere are also some differences that are important to mention. The names of the specific files stored in the assets\r\nfolder have changed and the encryption of the configuration file is more sophisticated than the 2019 sample. The\r\nnew sample uses a different key than is used for the second stage, making it much more difficult to decrypt and\r\nextract additional Command and Control information.\r\nSome of the permissions have changed as well. The app now requests new permissions such as\r\n“ ACCESS_BACKGROUND_LOCATION ”, “ INSTALL_PACKAGES ”, and “ LOCAL_MAC_ADDRESS ”. Many third-party\r\napplication-specific permissions, such as “ org.thoughtcrime.securesms.ACCESS_SECRETS ”, and\r\n“ com.android.browser.permission.READ_HISTORY_BOOKMARKS ” have been removed. Some Android permissions\r\nsuch as “ USE_FINGERPRINT ”, and “ SET_WALLPAPER ” have also been removed.\r\nHowever, even with these changes, the many significant similarities in operations, functionality, and geopolitical\r\nmotivations lead us to assess that this is either an updated version of the Monokle spyware or new software\r\ncreated by reusing much of the same code. \r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 6 of 16\n\nImplications of Device Tampering\r\nIt is common for the FSB to engage in targeted digital surveillance against individuals they perceive as threats,\r\nsuch as the use of sophisticated social engineering to steal credentials as described in the Rivers of Phish\r\ncampaign the Citizen Lab uncovered in partnership with Access Now and multiple regional civil society\r\norganizations. Malicious activities that target individuals across the globe often rely on tricking a user into\r\nengaging with the attackers. However, the tactics often change when an individual is within physical proximity of\r\nthe attackers. \r\nDetention and device confiscation can provide an unique opportunity for an adversary to install spyware without\r\nthe same technical challenges presented by remote attacks. This opportunity is especially pronounced if the\r\nadversary has user-level access to the device and is able to compel the individual to provide credentials and/or\r\ndevice passcodes, as they were in this case.\r\nThis case illustrates that the loss of physical custody of a device to a hostile security service like the FSB can be a\r\nsevere risk for compromise that will extend beyond the period where the security services have custody of the\r\ndevice. In this case, the target noticed several odd behaviors on their device after he was released from detention,\r\nsuch as an unfamiliar and suspicious notification and the presence of an app that he had not installed. However,\r\nnot every attempt to infiltrate and monitor a device is likely to result in such visible alerts. \r\nWe encourage members of civil society that have lost physical custody of their device to a security service,\r\nespecially a technically competent service in an authoritarian state like Russia, to seek expert assistance when the\r\ndevice is returned to them. Any person whose device was confiscated and later returned by such services should\r\nassume that the device can no longer be trusted without detailed, expert analysis. \r\nAcknowledgements \r\nWe first wish to acknowledge the bravery of Kirill Parubets for coming forward and sharing the details and\r\nsamples with The First Department and The Citizen Lab. Thanks to Dmitry Zair-Bek and The First Department for\r\ntheir assistance in this investigation. Thanks to Lookout for their original reporting on Monokle and for sharing\r\nadditional findings to support this research. \r\nWe thank our colleagues at The Citizen Lab for assistance with preparing, editing, and reviewing this report, with\r\nspecial thanks to Bahr Abdul Razzak, Adam Senft, Siena Anstis \u0026 Alyson Bruce. Professor Ron Deibert is the\r\nprincipal investigator of the Citizen Lab and this project was undertaken under an approved University of Toronto\r\nresearch ethics protocol # 37346, “Comparative Analysis of Information Security Threats Experienced by Civil\r\nSociety.”\r\nAppendix – Indicators of Compromise \r\nSHA-256 Sum\r\n737f60749c1919ad22102be27d52ba199ec4b707a985c42011b22ce0a4512c90\r\nCommands sent by the C2 Server\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 7 of 16\n\nBaseSystemCommand_ApplyAgentUpdate\r\nBaseSystemCommand_ClearResults\r\nBaseSystemCommand_DeleteFile\r\nBaseSystemCommand_DeviceControl\r\nBaseSystemCommand_DeviceReset\r\nBaseSystemCommand_ExecuteShellCommand\r\nBaseSystemCommand_GetAccessibility\r\nBaseSystemCommand_GetAgentInfo\r\nBaseSystemCommand_GetAppUsageStatsList\r\nBaseSystemCommand_GetApplicationsList\r\nBaseSystemCommand_GetCallsList\r\nBaseSystemCommand_GetContactsList\r\nBaseSystemCommand_GetDeviceInfo\r\nBaseSystemCommand_GetEmailsList\r\nBaseSystemCommand_GetFile\r\nBaseSystemCommand_GetFilesList\r\nBaseSystemCommand_GetHealthKit\r\nBaseSystemCommand_GetInstantChatsList\r\nBaseSystemCommand_GetKeyLogging\r\nBaseSystemCommand_GetLocalSettingsList\r\nBaseSystemCommand_GetMeetingsList\r\nBaseSystemCommand_GetMmsList\r\nBaseSystemCommand_GetNotesList\r\nBaseSystemCommand_GetPreparedTaskResultsData\r\nBaseSystemCommand_GetRegistryKeysList\r\nBaseSystemCommand_GetSmsList\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 8 of 16\n\nBaseSystemCommand_InjectJS\r\nBaseSystemCommand_InstallApplication\r\nBaseSystemCommand_InstallCertificate\r\nBaseSystemCommand_MakeCall\r\nBaseSystemCommand_PrepareFileArchive\r\nBaseSystemCommand_ScheduleConnection\r\nBaseSystemCommand_SendSms\r\nBaseSystemCommand_SetAccessibility\r\nBaseSystemCommand_SetAgentSettings\r\nBaseSystemCommand_SetAgentUid_deprecated\r\nBaseSystemCommand_SetApplicationRestriction\r\nBaseSystemCommand_SetAudioListenMode\r\nBaseSystemCommand_SetAudioRecordMode\r\nBaseSystemCommand_SetAudioStreamingMode\r\nBaseSystemCommand_SetCallDropMode\r\nBaseSystemCommand_SetCallRecordMode\r\nBaseSystemCommand_SetCallbackMode\r\nBaseSystemCommand_SetCatchFiles\r\nBaseSystemCommand_SetCommunicationMode_deprecated\r\nBaseSystemCommand_SetConnectPeriod_deprecated\r\nBaseSystemCommand_SetControlPhones_deprecated\r\nBaseSystemCommand_SetEventActions\r\nBaseSystemCommand_SetFileCrypto_deprecated\r\nBaseSystemCommand_SetGeofencesList\r\nBaseSystemCommand_SetInstantChatAccumMode\r\nBaseSystemCommand_SetKeyLogging\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 9 of 16\n\nBaseSystemCommand_SetKeychain\r\nBaseSystemCommand_SetLocationTracking\r\nBaseSystemCommand_SetPhotoShotMode\r\nBaseSystemCommand_SetScreenCastRecordMode\r\nBaseSystemCommand_SetScreenPasswordMode\r\nBaseSystemCommand_SetScreenRecordMode\r\nBaseSystemCommand_SetScreenShotMode\r\nBaseSystemCommand_SetServerAddress_deprecated\r\nBaseSystemCommand_SetTransportCrypto_deprecated\r\nBaseSystemCommand_SetUsbTunnelPort_deprecated\r\nBaseSystemCommand_SetVideoRecordMode\r\nBaseSystemCommand_SetVideoStreamingMode\r\nBaseSystemCommand_SetWatchFolders\r\nBaseSystemCommand_ShowMessage\r\nBaseSystemCommand_ShowiCloudLogin\r\nBaseSystemCommand_SqlQuery\r\nBaseSystemCommand_StopScheduledTasks\r\nBaseSystemCommand_ToggleBluetooth\r\nBaseSystemCommand_ToggleGPS\r\nBaseSystemCommand_ToggleWifi\r\nBaseSystemCommand_UninstallApplication\r\nBaseSystemCommand_UploadFileToAgent\r\nBaseSystemResponse_CancelAllCommands\r\nBaseSystemResponse_Error\r\nBaseSystemResponse_ExecuteShellCommand\r\nBaseSystemResponse_GetAccessibility\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 10 of 16\n\nBaseSystemResponse_GetAccountsList\r\nBaseSystemResponse_GetAgentInfo\r\nBaseSystemResponse_GetAppUsageStatsList\r\nBaseSystemResponse_GetApplicationsList\r\nBaseSystemResponse_GetBrowserBookmarks\r\nBaseSystemResponse_GetBrowserHistory\r\nBaseSystemResponse_GetBrowserTracking\r\nBaseSystemResponse_GetCallsList\r\nBaseSystemResponse_GetCapabilities\r\nBaseSystemResponse_GetContactsList\r\nBaseSystemResponse_GetDeviceInfo\r\nBaseSystemResponse_GetEmailsList\r\nBaseSystemResponse_GetEventTracking\r\nBaseSystemResponse_GetFile\r\nBaseSystemResponse_GetFilesList\r\nBaseSystemResponse_GetGeofencesList\r\nBaseSystemResponse_GetHealthKit\r\nBaseSystemResponse_GetInstantChatsList\r\nBaseSystemResponse_GetInterfacesStates_deprecated\r\nBaseSystemResponse_GetJSOutput\r\nBaseSystemResponse_GetKeyLogging\r\nBaseSystemResponse_GetKeychain\r\nBaseSystemResponse_GetLocalSettingsList\r\nBaseSystemResponse_GetLocation\r\nBaseSystemResponse_GetLocationTracking\r\nBaseSystemResponse_GetMMSList\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 11 of 16\n\nBaseSystemResponse_GetMeetingsList\r\nBaseSystemResponse_GetNetworkingData_deprecated\r\nBaseSystemResponse_GetNotesList\r\nBaseSystemResponse_GetNotificationsList_deprecated\r\nBaseSystemResponse_GetPreparedTaskResultsList\r\nBaseSystemResponse_GetRegistryKeysList\r\nBaseSystemResponse_GetSMSList\r\nBaseSystemResponse_GetScheduledTasksList\r\nBaseSystemResponse_GetScreenPassword\r\nBaseSystemResponse_GetUserDictList\r\nBaseSystemResponse_SetAudioRecordMode\r\nBaseSystemResponse_SetScreenRecordMode\r\nBaseSystemResponse_SetVideoRecordMode\r\nBaseSystemResponse_SqlQuery\r\nBaseSystemResponse_UploadFileToAgent\r\nFields in Data and Settings Files\r\nAGENT_SETTINGS(1, \"agentSettings\"),\r\nSERVICE_KILLED(2, \"serviceKilled\"),\r\nRADIO_INFO(3, \"radioInfo\"),\r\nTURN_GPS_ON(4, \"turnGpsOn\"),\r\nLOCATION_TRACKING_ON(5, \"locationTrackingOn\"),\r\nLOCATION_TRACKING_PERIOD(6, \"locationTrackingPeriod\"),\r\nHAVE_SCREEN_CAP_PERMISSION(7, \"haveScreenCapPermission\"),\r\nKEY_LOGGING_MODE(8, \"keyLoggingMode\"),\r\nACCESSIBILITY_MODE(9, \"accessibilityMode\"),\r\nACCESSIBILITY_MASKS(10, \"accessibilityMasks\"),\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 12 of 16\n\nSCREEN_UNLOCK_HOOK(11, \"screenUnlockHook\"),\r\nSCREEN_CAST_RECORD_PARAMS(12, \"screenCastRecordParams\"),\r\nSCREEN_SHOTS_SETTINGS(13, \"screenShotsSettings\"),\r\nPHOTO_SHOT_SETTINGS(14, \"photoShotSettings\"),\r\nPHOTO_SHOTS_CURRENT_QUANTITY(15, \"photoShotsCurrentQuantity\"),\r\nCURRENT_AUDIO_TASK(16, \"currentAudioTask\"),\r\nCURRENT_VIDEO_TASK(17, \"currentVideoTask\"),\r\nCURRENT_AUDIO_LISTEN_TASK(18, \"currentAudioListenTask\"),\r\nLEVEL_SETTINGS(19, \"levelSettings\"),\r\nGEOFENCES(20, \"geofences\"),\r\nSCHEDULED_COMMANDS(22, \"scheduledCommands\"),\r\nCOMMANDS(23, \"commands\"),\r\nSCHEDULED_COMMANDS_ID_TIME(24, \"scheduledCommandsIdTime\"),\r\nLAST_COMMAND_ID(25, \"lastCommandId\"),\r\nEVENT_ACTION_LIST(26, \"eventActionList\"),\r\nINSTANT_CHAT_ACCUMULATE_MODE(27, \"instantChatAccumulateMode\"),\r\nCALL_RECORD_MODE(28, \"callRecordMode\"),\r\nCALL_RECORD_SOURCE_PHONE(29, \"callRecordSourcePhone\"),\r\nCALL_RECORD_SOURCE_IM(30, \"callRecordSourceIM\"),\r\nRECORD_CALL_MASKS(31, \"recordCallMasks\"),\r\nDROP_CALL_MASKS(32, \"dropCallMasks\"),\r\nAPPLICATION_RESTRICTION_LIST(33, \"applicationRestrictionList\"),\r\nNEED_IMMEDIATELY_CONNECTION_TIME(34, \"needImmediatelyConnectionTime\"),\r\nWATCH_FOLDERS(35, \"watchFolders\"),\r\nCATCH_FILES(36, \"catchFiles\"),\r\nLAST_DEVICE_ON_TIME(37, \"lastDeviceOnTime\"),\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 13 of 16\n\nTASK_ID_CALL_RECORD(50, \"taskIdCallRecord\"),\r\nTASK_ID_CALL_DROP(51, \"taskIdCallDrop\"),\r\nTASK_ID_SCREEN_PASSWORD(52, \"taskIdScreenPassword\"),\r\nTASK_ID_KEYLOGGING(53, \"taskIdKeylogging\"),\r\nTASK_ID_LOCATION_TRACKING(54, \"taskIdLocationTracking\"),\r\nTASK_ID_ACCESSIBILITY(55, \"taskIdAccessibility\"),\r\nRECS__AUDIO(100, \"RECS_AUDIO\"),\r\nRECS__PHOTO(101, \"RECS_PHOTO\"),\r\nRECS__VIDEO(102, \"RECS_VIDEO\"),\r\nRECS__SCREEN__SHOT(103, \"RECS_SCREEN_SHOT\"),\r\nRECS__RESERVED(104, \"RECS_RESERVED\"),\r\nRECS__ACCESSIBILITY(105, \"RECS_ACCESSIBILITY\"),\r\nRECS__TASK__RESULTS(106, \"RECS_TASK_RESULTS\"),\r\nRECS__BACKUP(107, \"RECS_BACKUP\"),\r\nRECS__FILE__ARCHIVES(108, \"RECS_FILE_ARCHIVES\"),\r\nRECS__CATCH__FILES(109, \"RECS_CATCH_FILES\"),\r\nFN__KEY__LOGS(120, \"FN_KEY_LOGS\"),\r\nFN__ACCESSIBILITY(121, \"FN_ACCESSIBILITY\"),\r\nFN__SPELL(122, \"FN_SPELL\"),\r\nFN__RECORDS(123, \"FN_RECORDS\"),\r\nFN__SHUTDOWN__TRACKING(124, \"FN_SHUTDOWN_TRACKING\"),\r\nFN__DATA__MESSAGES(125, \"FN_DATA_MESSAGES\"),\r\nFN__HISTORY(126, \"FN_HISTORY\"),\r\nFN__LOCATION__TRACKING(127, \"FN_LOCATION_TRACKING\"),\r\nFN__PASSWORD__LIST(128, \"FN_PASSWORD_LIST\"),\r\nFN__WATCH__FOLDERS(129, \"FN_WATCH_FOLDERS\"),\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 14 of 16\n\nFN__CATCH__DATA__FILE(130, \"FN_CATCH_DATA_FILE\"),\r\nUPDATE_FILE(150, \"updateFile\"),\r\nIS_INSTALLED_UPDATE(151, \"isInstalledUpdate\");\r\nPermissions requested by the spyware which are not present in the legitimate version of the application:\r\nandroid.permission.ACCESS_BACKGROUND_LOCATION\r\nandroid.permission.ACCESS_NOTIFICATION_POLICY\r\nandroid.permission.ANSWER_PHONE_CALLS\r\nandroid.permission.AUTHENTICATE_ACCOUNTS\r\nandroid.permission.BATTERY_STATS\r\nandroid.permission.BIND_ACCESSIBILITY_SERVICE\r\nandroid.permission.BLUETOOTH_ADMIN\r\nandroid.permission.CALL_PHONE\r\nandroid.permission.CAMERA\r\nandroid.permission.CAPTURE_AUDIO_OUTPUT\r\nandroid.permission.CHANGE_NETWORK_STATE\r\nandroid.permission.CHANGE_WIFI_STATE\r\nandroid.permission.GET_ACCOUNTS\r\nandroid.permission.INSTALL_PACKAGES\r\nandroid.permission.LOCAL_MAC_ADDRESS\r\nandroid.permission.MANAGE_EXTERNAL_STORAGE\r\nandroid.permission.MODIFY_PHONE_STATE\r\nandroid.permission.PACKAGE_USAGE_STATS\r\nandroid.permission.PROCESS_OUTGOING_CALLS\r\nandroid.permission.QUERY_ALL_PACKAGES\r\nandroid.permission.READ_CALENDAR\r\nandroid.permission.READ_CALL_LOG\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 15 of 16\n\nandroid.permission.READ_FRAME_BUFFER\r\nandroid.permission.READ_PRIVILEGED_PHONE_STATE\r\nandroid.permission.READ_SMS\r\nandroid.permission.RECEIVE_BOOT_COMPLETED\r\nandroid.permission.RECEIVE_SMS\r\nandroid.permission.REQUEST_DELETE_PACKAGES\r\nandroid.permission.REQUEST_INSTALL_PACKAGES\r\nandroid.permission.SCHEDULE_EXACT_ALARM\r\nandroid.permission.SEND_SMS\r\nandroid.permission.TEMPORARY_ENABLE_ACCESSIBILITY\r\nandroid.permission.WRITE_SECURE_SETTINGS\r\nandroid.permission.WRITE_SETTINGS\r\nSource: https://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nhttps://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/"
	],
	"report_names": [
		"device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775433975,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16919547cd9ff6a159e75caeef62775c9eff1722.pdf",
		"text": "https://archive.orkl.eu/16919547cd9ff6a159e75caeef62775c9eff1722.txt",
		"img": "https://archive.orkl.eu/16919547cd9ff6a159e75caeef62775c9eff1722.jpg"
	}
}