In May 2025, BBC filmmaker Nicholas Wambugu alleged that his phone was tampered with while in Kenyan police custody. A forensic report from Citizen Lab confirmed that FlexiSPY, a commercial spyware package, was installed on his device on May 21, 2025, while still in state possession.
This case highlights how lawful custody of a device can be abused for targeted surveillance. Below we break down what FlexiSPY is, how it works, and what security professionals should know.
What is FlexiSPY?
FlexiSPY is sold as “parental control” and “employee monitoring” software but functions like advanced spyware. Once installed, it operates with elevated privileges and resists detection.
Capabilities include:
- Call interception and recording
- Message extraction (SMS, WhatsApp, Telegram, Signal)
- Location tracking in real time
- Camera and microphone activation
- File manipulation (altering or deleting stored data)
- Exfiltration of credentials
Technical Behavior of FlexiSPY
FlexiSPY is typically sideloaded or installed manually when attackers have physical access to the device. In the Kenya case, the spyware was deployed while the device was in custody, a strong indication of insider access.
Persistence mechanisms:
- Registers as system services to survive reboots
- Disguises itself under names mimicking legitimate OS processes
- Uses root or jailbreak exploits on some devices to escalate privileges
Network activity:
- Periodic connections to command-and-control (C2) servers over HTTPS
- Data exfiltration occurs in compressed, encrypted payloads
- Traffic often shows unusual frequency even when the device is idle
Indicators of Compromise (IOCs)
Based on open-source and forensic research into FlexiSPY deployments:
File/System Artifacts
- Presence of hidden APKs with misleading names (
SystemServices.apk,SyncManager.apk) - Modified permissions in
/system/priv-app/on Android devices - Unexpected cron jobs or background daemons on jailbroken iOS devices
Network Indicators
- Repeated DNS lookups to unknown domains not associated with OS updates
- Outbound HTTPS traffic to non-standard ports (e.g., 4433, 8443)
- Large bursts of encrypted traffic when calls/messages are active
Behavioral Indicators
- Faster battery drain
- Device heating up during idle periods (due to microphone/camera activation)
- Unexplained permission prompts or new accessibility services enabled
Defensive Measures
For journalists, activists, and developers working on sensitive projects, awareness and mitigation are critical.
Preventive:
- Avoid reusing devices after state seizure; treat them as compromised
- Enable full-disk encryption to make tampering harder
- Use strong device passcodes and disable USB debugging
Detection:
- Use tools like MobSF, apktool, or Frida for static/dynamic analysis of suspicious apps
- Deploy YARA rules for identifying FlexiSPY binaries in scans
- Monitor device traffic with MITM proxies or Pi-hole DNS filtering to flag suspicious connections
Response:
- Perform full firmware reinstallation rather than a simple factory reset
- If high risk, migrate to a new device and treat the compromised one as untrusted
- Use forensic services like Citizen Lab or open-source frameworks like Mobile Verification Toolkit (MVT) to analyze potential infections
Why This Case Matters for Developers
The Kenyan case demonstrates how commercial spyware is weaponized against civil society. For developers and security researchers:
- Be aware of dual-use tech: “monitoring tools” often blur into surveillance
- Build security into your apps: enforce secure communications, detect rooted/jailbroken environments, and monitor for abnormal OS behaviors
- Contribute to tooling: open-source detection frameworks are vital for protecting journalists and activists who lack access to enterprise security budgets
Final Thoughts
The FlexiSPY incident in Kenya is a reminder that surveillance is not theoretical. It affects real people, often those exposing uncomfortable truths. As security professionals, we have a responsibility to not only study these tools but also to build countermeasures that protect privacy and freedom of expression.
Top comments (0)