A newly documented Android spyware family called ResidentBat has been attributed to Belarus’s State Security Committee (KGB), where it is used in targeted surveillance operations against journalists and civil society. The malware was analysed and publicly reported by a collaboration between Reporters Without Borders (RSF) and the Eastern European nonprofit RESIDENT.NGO. Code artefacts and infrastructure analysis indicate ResidentBat was in development and operational since at least 2021, making it a long-running threat.

Discovery and Attribution

ResidentBat came to light in late 2025 after forensic investigators examined the Android device of a Belarus-based journalist shortly after an interrogation by KGB officers. Rather than exploiting remote vulnerabilities or phishing chains, the infection was deployed physically during detention: officers temporarily took possession of the device, observed the unlock PIN entry, and installed the spyware before returning it.

Unlike many sophisticated state-grade implants, ResidentBat does not rely on zero-day exploits to break out of the Android sandbox. Instead, it abuses legitimate Android platform capabilities — notably Android’s Accessibility Service and Device Administration API — to achieve wide visibility into user activity.

Infection Model

ResidentBat is deployed as a standard Android APK that operators sideload onto a target’s phone through ADB (Android Debug Bridge) or similar manual methods once physical access is obtained. Installation requires:

• Physical possession of the device
• Manual enabling of Developer Options and USB Debugging
• Explicit permission grants by the operator
• Disabling of Google Play Protect safeguards

There is no remote propagation — the Command & Control (C2) infrastructure is used only for post-installation data exfiltration and tasking, not for initial delivery.

Capabilities and Technical Profile

Once resident on a device, ResidentBat grants its operators deep surveillance and control, including:

Data Collection & Monitoring

• Communication interception: SMS, call logs, and content from encrypted messaging apps (captured via screen read capabilities from Accessibility Services before encryption).
• Media access: Microphone recordings, camera capture, screenshots.
• File system access: internal and external storage.

Operational Controls

• C2 communication over HTTPS with identifiable telemetry fingerprints (e.g., a self-signed certificate with CN=server and predictable TLS/HTTP banner hashes).
• Remote command and control, including configuration changes and task execution.
• Device administration rights enabling persistent background execution and the ability to wipe the device via the Android DevicePolicyManager API.

This model doesn’t break Android’s sandbox in the sense of kernel exploits, but it maximises legitimate APIs to achieve an extensive surveillance footprint.

Infrastructure and Detection

Censys security researchers have mapped the C2 infrastructure associated with ResidentBat, finding hosts across multiple countries (Netherlands, Germany, Switzerland, Russia). These servers tend to run on a small port range (7000–7257) and share consistent cryptographic fingerprints, making them detectable at internet scale using threat intelligence tools.

Operational Context

The attack patterns suggest ResidentBat isn’t designed for mass compromise. Instead, its deployment appears highly targeted — used when authorities briefly seize devices during detention, border crossings, or similar situations where they can physically interact with the handset. This “hands-on” approach limits broad infection scale but provides extremely rich surveillance data for selected individuals.

Implications and Mitigation

ResidentBat exemplifies a trend where surveillance actors sidestep the complexity of remote exploitation by physically installing malware that abuses legitimate platform features. Because of this:

• Standard endpoint protection may not detect ResidentBat early, especially if installed with security mechanisms disabled.
• Users at high risk of targeted surveillance should consider hardened platforms (e.g., Android security-focused builds, PIN obfuscation techniques) and strict device handling practices.
• Disabling USB Debugging and avoiding sideloaded APKs are critical defensive measures.