ResidentBat Android Spyware Gives Belarusian KGB Persistent Device Access
2 min. read 
Published on
ResidentBat Android malware requires physical device access for installation. Belarusian KGB operators sideload it via ADB, grant permissions manually, and disable Play Protect. Targets include journalists and activists. The spyware ran undetected since 2021 until RSF and RESIDENT.NGO exposed it in December 2025.
Once installed, ResidentBat grabs SMS, call logs, audio recordings, screenshots, local files, and encrypted chat traffic. C2 servers use self-signed TLS certificates with “CN=server” across ports 7000-7257. Ten active hosts cluster in Netherlands, Germany, Switzerland, and Russia.
Operators remotely wipe devices using Android’s DevicePolicyManager.wipeData. JSON configs control C2 addresses, upload timing, and immediate data flags. Physical install limits spread but guarantees high-value targets.
Malware Capabilities
ResidentBat pulls deep device intelligence. Each feature serves long-term surveillance.
| Function | Data Collected | Operator Control |
|---|---|---|
| SMS/Call Logs | Full message history | Real-time access |
| Microphone | Ambient audio recording | Command-triggered |
| Screenshots | Screen captures | Periodic or on-demand |
| File Access | Local storage contents | Download specific files |
| Traffic Intercept | Encrypted messenger data | Passive network monitoring |
| Device Wipe | Complete data destruction | Remote factory reset |
Censys notes consistent TLS fingerprints aid tracking. See their analysis linked in the original report.
Installation Process
Attackers need hands-on access:
- Enable ADB debugging on target device.
- Sideload APK via
adb install. - Manually grant all permissions.
- Disable Google Play Protect.
- Configure C2 connection.
Low infection rate. High precision targeting. Perfect for state surveillance.
C2 Evasion Tactics
Servers return empty 200 OK responses to all probes. Static Date headers hide timing. Client certificate auth blocks outsiders. Device allowlisting ensures control.
Five unique certificate fingerprints span infrastructure. AS29182 Russian networks host one node.
Target Profile and Impact
Journalists face total device compromise. Civil society loses evidence with wipes. Belarusian ops run surgical surveillance.
Physical access requirement limits mass attacks. State actors gain perfect coverage on chosen targets.
Defense Measures
Android users protect against physical attacks:
- Lock bootloader when possible.
- Disable ADB in developer options.
- Enable Play Protect always.
- Use secure app sources only.
- Watch for unknown permissions.
Journalists carry burner devices for high-risk areas.
FAQ
Physical ADB sideload by attacker with device access.
SMS, calls, audio, screenshots, files, chat traffic.
Yes. Remote wipe via DevicePolicyManager.
Netherlands (5), Germany (2), Switzerland (2), Russia (1).
Since 2021, exposed December 2025.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages