ResidentBat Android Spyware Gives Belarusian KGB Persistent Device Access

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

ResidentBat Android malware requires physical device access for installation. Belarusian KGB operators sideload it via ADB, grant permissions manually, and disable Play Protect. Targets include journalists and activists. The spyware ran undetected since 2021 until RSF and RESIDENT.NGO exposed it in December 2025.

Once installed, ResidentBat grabs SMS, call logs, audio recordings, screenshots, local files, and encrypted chat traffic. C2 servers use self-signed TLS certificates with “CN=server” across ports 7000-7257. Ten active hosts cluster in Netherlands, Germany, Switzerland, and Russia.

Operators remotely wipe devices using Android’s DevicePolicyManager.wipeData. JSON configs control C2 addresses, upload timing, and immediate data flags. Physical install limits spread but guarantees high-value targets.

Malware Capabilities

ResidentBat pulls deep device intelligence. Each feature serves long-term surveillance.

FunctionData CollectedOperator Control
SMS/Call LogsFull message historyReal-time access
MicrophoneAmbient audio recordingCommand-triggered
ScreenshotsScreen capturesPeriodic or on-demand
File AccessLocal storage contentsDownload specific files
Traffic InterceptEncrypted messenger dataPassive network monitoring
Device WipeComplete data destructionRemote factory reset

Censys notes consistent TLS fingerprints aid tracking. See their analysis linked in the original report.

Installation Process

Attackers need hands-on access:

  1. Enable ADB debugging on target device.
  2. Sideload APK via adb install.
  3. Manually grant all permissions.
  4. Disable Google Play Protect.
  5. Configure C2 connection.

Low infection rate. High precision targeting. Perfect for state surveillance.

C2 Evasion Tactics

Servers return empty 200 OK responses to all probes. Static Date headers hide timing. Client certificate auth blocks outsiders. Device allowlisting ensures control.

Five unique certificate fingerprints span infrastructure. AS29182 Russian networks host one node.

Target Profile and Impact

Journalists face total device compromise. Civil society loses evidence with wipes. Belarusian ops run surgical surveillance.

Physical access requirement limits mass attacks. State actors gain perfect coverage on chosen targets.

Defense Measures

Android users protect against physical attacks:

  • Lock bootloader when possible.
  • Disable ADB in developer options.
  • Enable Play Protect always.
  • Use secure app sources only.
  • Watch for unknown permissions.

Journalists carry burner devices for high-risk areas.

FAQ

How does ResidentBat infect Android devices?

Physical ADB sideload by attacker with device access.

What can ResidentBat steal from phones?

SMS, calls, audio, screenshots, files, chat traffic.

Can operators destroy infected devices?

Yes. Remote wipe via DevicePolicyManager.

Where are ResidentBat C2 servers located?

Netherlands (5), Germany (2), Switzerland (2), Russia (1).

How long has ResidentBat operated?

Since 2021, exposed December 2025.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages