Military intelligence officer jailed for investigating ISIL and malware apps in Turkey


Abdullah Bozkurt


A Turkish military intelligence officer who investigated the Islamic State in Iraq and the Levant as well as malware applications that were used for spying was not only dismissed from the service but was also imprisoned by the government on dubious charges.

Lt. Col. Hüseyin Yıldırım, who was responsible for research in the General Staff intelligence department, was jailed by the Turkish government on coup charges based on evidence that he was investigating ISIL and malware applications, among other issues that were referred by the General Staff. According to confidential documents obtained by Nordic Monitor, the police department sent his notes to the prosecutor as part of criminal evidence to support the coup charges against him.

During a search of his office, No. 438, at General Staff headquarters where he was working until July 15, 2016, police found documents and handwritten notes that were later examined for criminal content. In a report filed on January 20, 2017 the police concluded that a black notebook which included handwritten notes by Lt. Col. Yıldırım amounted to criminal evidence. On one page Yıldırım took some notes on ISIL and made notations on its Takfiri (apostasy) ideology. The notes quoted ISIL publications that described the Turkish Armed Forces as an “army of infidels” and its commanders as “non-believers.” There were also some numbers next to the notes.

He defended himself during a hearing in December 2018, saying he was investigating social media accounts that were connected to ISIL. The notes fit the job description of Lt. Col. Yıldırım, who had been looking into threats to the TSK as one of the intelligence officers in the research department. Yet, the Turkish prosecutor presented this note as criminal evidence against him in case file No. 2016/103566 at the Ankara Chief Public Prosecutor’s Office.


Prosecutor Serdar Coskun’s search order for the office and residence of Lt. Col. Hüseyin Yıldırım.


Other evidence that was examined and later incorporated in the indictment was handwritten notes of the names of malware applications. The police investigators could not identify the names and concluded that the notes included foreign names that could not be deciphered. If they had only Googled those names, they would have seen that they were identified as malware applications by many websites. Yet, in order to make the unlawful case against a senior intelligence officer, the police and prosecutor listed the names of the apps as something resembling code words.

In reality, the officer copied the names of 13 malicious apps on Google Play that are related to the Brain Test malware family that were identified by researchers at mobile security company Lookout in January 2016.

Known for piggy-backing on fully functioning mobile applications, the malware corrupts Android devices, downloads malicious Android Application Packages (APKs) and inflate the Google Play ratings of other apps written by the same group of Chinese developers.

According to Lookout, a complete list of the 13 apps that were removed from Google Play Platform:

Cake Tower, com.beautiful.caketower

Drag Box, com.block.dragbox

Jump Planet, com.galaxy.jumpplanet

Honey Comb, com.sweet.honeycomb

Crazy Block, com.crazy.block

Piggy Jump, com.stupid.piggyjump

Hit Planet,

Ninja Hook,

Just Fire, com.tomtom.justfire

Eat Bubble, com.fine.eatbubble

Crazy Jelly, com.crazy.sugar

Tiny Puzzle,

Cake Blast, com.zhtt.cakeblast


“It appears the primary goal of the malware is to download and install additional APKs as directed by the command-and-control server,” Lookout said. “The developers also used infected devices to download other malicious applications they had submitted to the Play Store, which would inflate the number of downloads each application received.”


Again, as part of his job, the Turkish intelligence officer was looking into the malware applications that posed a security threat. Yet, his listing of these apps landed him in hot water with the prosecutor and police, who could not make it out what they stood for.

Other evidence included tips the General Staff received against officers in the military; Yıldırım was tasked by his commanders to investigate whether there was any merit to the accusations leveled against the officers by anonymous parties. His research into the allegations was branded as something nefarious by the prosecutor when in fact he was doing what he was supposed to do within the chain of command.

Yıldırım had access to a secure room that requires a passcode to enter, and one note the police found in his desk included the passcode to that room, which included sensitive research data. That was also presented as criminal evidence against him in court.

The criminal prosecution of Lt. Col. Yıldırım lacks any solid evidence of wrongdoing and involvement in a coup that was attempted in July 2016. It appears to be part of the politically motivated campaign to remove him and thousands of other well-qualified, pro-NATO officers from the alliance’s second largest army in terms of manpower. Some 70 percent of generals and admirals have been removed and/or jailed by the Erdoğan government since 2016, and thousands of officers were jailed on terrorism and coup plotting charges. The purge helped Islamists and neo-nationalists fill the senior ranks of the Turkish military as Erdoğan moved to disengage from the NATO alliance by pivoting to the Iranian-Russian axis.


Subscribe To Our Newsletter