Kenyan Filmmakers Installed With FlexiSPY Spyware That Monitors Messages and Social Media

Four Kenyan filmmakers became victims of sophisticated surveillance when FlexiSPY spyware was covertly installed on their devices while in police custody, according to forensic analysis conducted by the University of Toronto’s Citizen Lab.

The incident occurred on or around May 21, 2025, after authorities seized the devices during arrests connected to allegations surrounding the BBC documentary “Blood Parliament.”

The filmmakers—MarkDenver Karubiu, Bryan Adagala, Nicholas Wambugu, and Christopher Wamae—were arrested on May 2 at a Nairobi studio on charges of publishing false information.

Though released without charges the following day, their electronic devices remained in police custody until July 10, providing a window for the unauthorized spyware installation.

CPJ analysts noted that the FlexiSPY installation represents a significant breach of journalistic privacy and security.

The commercially available surveillance tool grants operators comprehensive access to victims’ digital communications, including real-time monitoring of messages, emails, and social media activities.

Senior researcher John Scott-Railton emphasized that the spyware provides “silent, secret access to all sorts of private business and information about their journalism.”

FlexiSPY markets itself as a monitoring solution for parents and employers, advertising capabilities that extend far beyond basic surveillance.

The software can record phone calls, track device locations and website visits, capture passwords, download photos and videos, and even activate device microphones for environmental listening.

This comprehensive surveillance capability makes it particularly concerning when deployed against journalists and media professionals.

Advanced Persistence and Monitoring Capabilities

The FlexiSPY spyware demonstrates sophisticated persistence mechanisms designed to maintain long-term access to compromised devices.

Once installed, the malware operates stealthily in the background, continuously transmitting data to remote servers while avoiding detection by standard security measures.

The software’s architecture allows it to survive device reboots and resist removal attempts through hidden system-level integration.

The spyware’s monitoring capabilities extend to encrypted messaging platforms, potentially compromising secure communications that journalists rely upon for source protection.

By intercepting data before encryption occurs at the application level, FlexiSPY can capture sensitive information that would otherwise remain protected.

This functionality poses particular risks for investigative journalists who depend on confidential communications with sources and colleagues.

The incident highlights growing concerns about state surveillance of media professionals and the weaponization of commercial spyware against press freedom advocates worldwide.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.