ResidentBat Android Malware Grants Belarusian KGB Ongoing Mobile Access

ResidentBat represents a new tier of state‑run Android spyware that sidesteps the public app ecosystem entirely. By requiring the device to be in the hands of Belarusian KGB operatives, the malware can be installed through Android Debug Bridge, granting the agency deep system privileges without relying on exploit chains or malicious links. Once sideloaded, the implant harvests SMS, call logs, microphone recordings, screen captures, and encrypted messenger content, while also retaining the ability to trigger a factory reset via the DevicePolicyManager API. This hands‑on approach sacrifices scale for precision, targeting journalists, activists, and NGOs who are most vulnerable to state retaliation.

C2 servers for ResidentBat are deliberately low‑profile, listening on a narrow port range (7000‑7257, occasional 4022) and presenting self‑signed TLS certificates with a static banner hash. Censys data shows ten active hosts clustered in European data‑centers, primarily the Netherlands and Germany, with a single node in Russia. The infrastructure uses catch‑all HTTP 200 responses and client‑certificate authentication, making traffic appear benign to generic network monitors. This fingerprint allows defenders to hunt for outbound HTTPS sessions matching the banner hash, enabling early detection and blocklisting of the malicious command network before data exfiltration occurs.

Mitigating ResidentBat hinges on strict physical‑device controls and hardened Android policies. Organizations supporting at‑risk journalists should enforce USB‑debugging disabled by default, require Android Advanced Protection Mode, and monitor for unauthorized sideloaded packages or the disabling of Play Protect. Enterprise mobile‑device‑management solutions can flag anomalous permission grants and unexpected network connections to the known port range. The broader lesson is that state actors can weaponize ordinary hardware when they gain custody, underscoring the need for comprehensive security training, device escrow procedures, and rapid incident response to prevent long‑term surveillance footholds.