30 December 2025: You’ve Got To Hand It To Them

Martijn Grooten

3 min read

Welcome to the first Travels in Digital Security newsletter for 2025! Yeah, I know. Things happened and then other things happened and then it suddenly was the end of December.

Some of the things that happened were work related. First, the work I was doing for Internews stopped in January as Elon Musk and his buddies thought it was too woke. Thankfully, I was able to increase the hours I was working for Silent Push, where I was mostly tracking APTs (this, for example).

But now this work is also coming to an end and so I am looking for work. Full-time, part-time, contract or permanent work. I’d love to continue working on APT groups – I love the interaction of cybersecurity and geopolitics – but my threat intelligence skills and experience are broadly applicable. And I have in almost two decades working in cybersecurity (my website serves as a portfolio of sorts) done a lot of different things too, including a lot of work for NGOs and high-risk groups, and would love to do more work there as well.

Reach out if you have any work, or if you want to get my resume.

Martijn
martijn@lapsedordinary.net
martijngrooten.37

You’ve Got To Hand It To Them

A few weeks ago, RESIDENT.NGO published an analysis of an investigation into spyware deployed on the phone of a journalist in Belarus.

Both their analysis and a more detailed report (pdf) by Reporters Without Borders (RSF) are really good and detailed and well worth a read. What I want to focus on though is the infection method and what this means for spyware used against at-risk individuals.

When we talk about spyware, especially targeting this community, it’s usually things like Pegasus, Predator or Paragon. Though there are some differences between these, they share two important characteristics. First, the spyware is remotely installed through a vulnerability in the phone's software, typically one that hasn’t been patched (‘zero-day’). And secondly, the spyware doesn’t manifest itself as an app but runs at a lower level on the device: it won’t show up in the list of apps and may have powers that apps never have.

This makes this kind of spyware really powerful and really hard to detect. But it also makes it really hard to develop and thus really expensive to buy. As a very rough ballpark figure, think of US$100,000 per infected device. And there is also the fact that Israel, where a lot of the spyware is developed, doesn’t always grant an export license. Which is why governments and government agencies are looking for alternatives. 

One common alternative is to install the spyware manually, which does require short time physical access to the unlocked device. This is what happened in Belarus and what previously happened in Serbia and Kenya (and likely in Iran too).

Access to the phone is obtained during an arrest or investigation (sometimes under a false pretext). To unlock the device, the operators might use force or coercion to obtain the passcode, or, as they did in Serbia, may use a third-party tool like Cellebrite to unlock it. Cellebrite also uses zero-day vulnerabilities, but the ones that unlock a phone are much easier to find (and thus cheaper to buy) than those that remotely install spyware.

Once the operators have access to an unlocked device, they can manually install the spyware, bypassing security protections built into a phone. It’s the same method used when stalkerware is installed on the phone of an (ex-)partner. In fact, the spyware installed on Kenyan journalists’ phones is common stalkerware that they could have purchased for a few hundred dollars. (Side-note: I co-run the Coalition Against Stalkerware.)

This does have one big advantage for targets: the spyware behaves like any other app on the phone. In particular, it needs to be granted permissions during installation and these permissions, as RESIDENT.NGO point out, are one way to detect such spyware. In fact, I highly recommend those who may be at risk of this kind of spyware to regularly perform the “Manual Self-Checks” detailed in the blog post, especially after the phone may have been temporarily in someone else’s hands.

It also means that, like stalkerware, this is primarily an Android problem: iPhones currently have much better protection against ‘side-loading’ apps. (Spyware like Pegasus, on the other hand, is mostly known for targeting iPhones but there may be a detection bias here at play: it is currently easier to detect on iPhone.)

Though we only know of cases of manually installed spyware from a handful us countries, the problem is likely much bigger. And we cannot exclude the existence of some hybrid spyware that requires manual access but then is installed at a lower level, thus not showing up as an app.

Therefore, the following advice from RESIDENT.NGO remains important for at-risk individuals:  "If your phone was taken out of your sight for at least several minutes, assume it is infected". And in that case, contact a (local) NGO, such as RESIDENT.NGO, for support.

F- The Rules

Previous versions of this newsletter contained a book I read and a song I enjoyed. I’ve not been reading a lot in recent months, so I’m holding off on that for now, but I have been listening to a lot of music. So much so that a few months ago, I started a music blog where I write about new and old songs I love. 

Read more