Spyware unmasked: How Belarus monitors journalists with "ResidentBat"

The Belarusian secret service KGB has apparently been using custom-made spyware called ResidentBat for years to comprehensively monitor journalists and opposition figures. This was uncovered by the Digital Security Lab (DSL) of Reporters Without Borders (RSF) and the Eastern European organization Resident.NGO. The unmasking is a severe blow to the Belarusian apparatus, as the forensic analysis of the software provides deep insights into the surveillance practices of one of the most repressive regimes worldwide.

High-priced spyware such as Pegasus, Predator, or Candiru exploits vulnerabilities in operating systems to infect end devices remotely. According to the analysis, ResidentBat relies on physical access. The infection chain that RSF was able to reconstruct reads like a script for an espionage thriller: an affected person was summoned for questioning to the KGB premises. Before the interrogation began, they had to deposit their smartphone in a locker. During the inquisition, the person was asked to show certain content on their phone; they unlocked it in front of the officers.

Experts assume that the security forces observed the PIN entry, later secretly took the device from the locker, and manually installed the spyware. Since ResidentBat is disguised as a legitimate system app, it remains almost invisible to laypeople. Once active, it grants attackers almost total control: the malware can read call logs, copy SMS and locally stored files, and make microphone and screen recordings.

Particularly explosive: Even messages from supposedly encrypted messenger services like WhatsApp, Signal, or Threema are not safe from access, as the spyware intercepts the content directly on the end device before it is encrypted.

ResidentBat is a bit old

Forensic examination indicates that Minsk has not been using this technique only recently. By comparing code fragments on antivirus platforms, analysts found versions dating back to 2021. This suggests that the regime has maintained a reliable digital persecution infrastructure for at least four years. Who exactly is behind the development of ResidentBat remains unclear. English strings in the source code suggest that the basis could be a commercial product developed for the international market or by an external service provider.

RSF Managing Director Anja Osterhaus sees the finding as confirmation of the civil society organization's demand for a global ban on invasive espionage technologies. Such tools are simply incompatible with human rights. In Belarus, the use of such software is part of systematic repression, according to RSF: with 33 imprisoned media professionals and 166th place in the World Press Freedom Index, the country is one of the most dangerous places for journalists worldwide.

It also works without expensive exploits

The revelation has already had concrete implications for the security of Android users. The DSL has shared its findings with Google. The tech giant announced that it will inform affected users identified as targets of state actors about "government-backed attacks" through special warnings.

For those affected in Belarus, this is only small comfort. In a country where simply carrying a smartphone becomes a danger, the ResidentBat case shows above all one thing: even without technical strokes of genius and expensive security vulnerabilities, a secret service can eliminate its citizens' privacy as soon as it gains physical control over the hardware. Calls for a ban on spyware have been made in the EU since various scandals surrounding such state trojans. Little has happened since then. The EU Commission recently even had to admit that substantial funding has flowed to spyware manufacturers.

(vbr)