Pierluigi Paganini
February 27, 2025
A report published by Amnesty International in December 2024 documented the use of Cellebrite’s forensics tools by Serbia police to unlock and install spyware on the phones of a local journalist and an activist.
The police used a malware dubbed NoviSpy, a newly discovered Android spyware, which enables Serbian authorities to surveil targets by capturing personal data and remotely activating microphones or cameras.
NoviSpy is less advanced than other spyware like NSO Group’s Pegasus. Amnesty International found forensic evidence linking Cellebrite tools to NoviSpy infections, revealing that Serbian police used Cellebrite UFED exploits to bypass Android security and secretly install the spyware on activists’ phones during police interviews. The malware is deployed via the Android Debug Bridge (adb) command-line utility.
“Serbian police and intelligence authorities are using advanced phone spyware alongside mobile phone forensic products to unlawfully target journalists, environmental activists and other individuals in a covert surveillance campaign, a new Amnesty International report has revealed.” reported Amnesty International. “the Serbian police and the Security Information Agency (Bezbedonosno-informativna Agencija – BIA) have used a bespoke Android spyware system, NoviSpy, to covertly infect individuals’ devices during periods of detention or police interviews.”
Now, the Israeli company Cellebrite has announced that it is suspending the provision of its technology to Serbia due to reports of abuse by local police.
“After a review of the allegations brought forth by the December 2024 Amnesty International report, Cellebrite took precise steps to investigate each claim in accordance with our ethics and integrity policies. We found it appropriate to stop the use of our products by the relevant customers at this time.” reads the announcement. “We assess countries we do business with – both on an annual and ad-hoc basis due to political and cultural shifts. We regularly track countries and review a multitude of indexes ranging from democratization to human rights to rule of law. Our robust compliance and ethics program is designed so that democratized nations around the globe use our technology ethically and lawfully – all paramount to our mission of accelerating justice, safeguarding communities and helping to save lives. “
“This decision reinforces Amnesty International’s December findings that Serbian police and intelligence routinely misused Cellebrite’s digital forensic equipment outside legally sanctioned processes to target civil society activists and independent journalists critical of the government.” said Donncha Ó Cearbhaill, Head of the Security Lab at Amnesty International.
“Withdrawing licences from customers who misused the equipment for political reasons is a critical first step. Now, Serbian authorities must urgently conduct their own thorough and impartial investigations, hold those responsible to account, provide remedies to victims and establish adequate safeguards to prevent future abuse.”
“Any further exports of surveillance or digital forensics technology to Serbia must be stopped until the authorities have implemented an effective and independent system of control and oversight over any measures that could restrict people’s right to privacy, freedom of expression or peaceful assembly.” added Donncha Ó Cearbhaill.
NoviSpy spyware samples from devices analyzed by Amnesty were controlled by C2 servers in Serbia. The experts also discovered that one spyware configuration linked to an IP range associated with Serbia’s intelligence agency, the BIA, and to a specific BIA employee tied to past spyware procurement efforts. Evidence, including the spyware’s installation during BIA interviews, attributes these surveillance campaigns with high confidence to the BIA and Serbian government.
In February 2024, Serbian journalist Slaviša Milanov was summoned to a police station after a routine traffic stop. After the police released him, Milanov noticed suspicious changes to his phone settings, such as disabled data and Wi-Fi. Then he requested help from Amnesty International’s Security Lab fearing to be the target of surveillance software like other journalists in Serbia.
Amnesty International made two disconcerting discoveries while investigating the case of Milanov’s phone. First, forensic traces showed that Serbian police used a Cellebrite tool to unlock and extract data from his device without informing him, obtaining legal consent, or disclosing the search’s purpose. Second, the analysis revealed a previously undetected spyware, named “NoviSpy,” which can extract personal data, activate the device’s microphone or camera, and was installed during police possession of his phone. The spyware’s deployment relied on Cellebrite’s unlocking process, combining two invasive technologies to compromise the journalist’s digital privacy comprehensively.
NoviSpy is deployed via the Android Debug Bridge (adb) command-line utility.
NoviSpy spyware samples from devices analyzed by Amnesty were controlled by C2 servers in Serbia. The experts also discovered that one spyware configuration linked to an IP range associated with Serbia’s intelligence agency, the BIA, and to a specific BIA employee tied to past spyware procurement efforts. Evidence, including the spyware’s installation during BIA interviews, attributes these surveillance campaigns with high confidence to the BIA and Serbian government.
Serbian authorities also extensively and illegitimately used the Cellebrite extraction suite to download personal data from the phones of journalists and protest organizers.
“In at least two cases Amnesty International documented, the Cellebrite UFED product and associated exploits were used to covertly bypass phone security features, enabling Serbian authorities to infect the devices with NoviSpy spyware. These covert infections, which also occurred during interviews with police or BIA, were only possible because of the capabilities provided by advanced technology like Cellebrite UFED to bypass device encryption.” reads the report published by Amnesty. “While activists have long expressed concerns about spyware infections occurring during police interviews, Amnesty International believes that this report describes the first forensically documented spyware infections enabled by the use of Cellebrite mobile forensic technology.”
Amnesty International’s Security Lab also discovered that the extraction tool Cellebrite UFED exploited a Qualcomm Multiple Chipsets Use-After-Free zero-day vulnerability CVE-2024-43047, which Google patched in November 2024. A joint effort of Amnesty International and Google allowed to identify the exploit from the analysis of forensic logs found on the phone of a protest organizer detained by Serbian police.
Other targets of the NoviSpy spyware campaign included the activist Nikola Ristić, environmental activist Ivan Milosavljević Buki, and an unnamed activist from Krokodil, a Belgrade-based NGO.
Serbia’s police labeled the Amnesty report as “absolutely incorrect.”
“Serbia’s police said in a statement that the Amnesty report is “absolutely incorrect,” but also added that “the forensic tool is used in the same way by other police forces around the world.”” reported the Associated Press.
“Serbia must commit to immediately stop using highly invasive spyware and carry out prompt, independent and impartial investigations into all documented and reported cased of unlawful digital surveillance.” concludes the report. “It also must take concrete steps to ensure that digital technologies are not misused to violate human rights, including by putting in place and robustly enforcing a legal framework that provides meaningful procedural safeguards, effective systems of control and oversight through judicial review, and effective mechanisms for redress for victims.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, spyware)
