Something to Remember Us By: Device Confiscated by Russian Authorities Returned with Monokle-Type Spyware Installed

Citizen Lab and The First Department investigated a case where an Android device returned after detention contained a trojanized version of the Cube Call Recorder app that functions as advanced spyware. The multi-stage payload (SHA-256: 737f60749c...) decrypts an embedded DEX, provides location tracking, keylogging, call and screen recording, extraction of files and passwords, and numerous remote commands; analysis finds strong overlaps with Monokle-era tooling and C2 command strings, suggesting an updated Monokle or code reuse by a likely Russian state-linked actor. The report includes detailed IoCs (hash, C2 command list, permissions) and recommends expert device analysis for anyone whose device was confiscated.