Serbian journalist Slaviša Milanov found himself in a precarious situation in February 2024 after being taken to a police station following a routine traffic stop. Little did he know that this seemingly innocuous incident would snowball into a revelation of unsettling proportions. Upon his release, Milanov noticed that his phone was exhibiting strange behavior – data and Wi-Fi settings were turned off, hinting at possible hacking.
In a bid to get to the bottom of this disturbing occurrence, Milanov reached out to Amnesty International’s Security Lab for assistance. What unfolded next was nothing short of a technological thriller. A commercial forensic tool, commonly used by law enforcement and intelligence agencies worldwide, had been manipulated to plant an unknown Android spyware, dubbed “NoviSpy,” on Milanov’s phone. This intrusion was facilitated through the exploitation of Qualcomm zero-day vulnerabilities, all without adhering to due process. As Amnesty delved deeper into the investigation, they uncovered at least three more cases with potential links to numerous others.
The release of Amnesty’s detailed report shed light on the unethical surveillance practices employed by Serbian authorities, with the aiding hand of Israel-based Cellebrite. According to Amnesty’s Deputy Regional Director for Europe, Dinushika Dissanayake, the use of surveillance technology and digital repression tactics in Serbia serves as a means of exerting control and stifling dissent within civil society. The report also raised concerns about the misuse of Cellebrite’s mobile forensic products, warning of the grave risks posed to individuals advocating for human rights, environmental conservation, and freedom of speech when subjected to such invasive tactics without legal oversight.
The discovery of the NoviSpy spyware, though less potent than infamous tools like NSO Group’s Pegasus spyware, still harbors alarming capabilities. NoviSpy can harvest sensitive personal data from a target device and enable remote access to the phone’s microphone and camera. Amnesty’s investigation revealed that Cellebrite’s forensic tools were misused to unlock devices and facilitate the installation of the spyware during police interviews, as seen in the cases of Milanov and environmental activist Nikola Ristić.
Moreover, the report traces a decade-long history of Serbian authorities procuring spyware from various entities, including Finfisher, NSO Group, and Intellexa. Amnesty’s collaboration with Google’s Threat Analysis Group highlighted the exploitation of Qualcomm vulnerabilities, including a zero-day CVE-2024-43047, which was patched during the investigation. However, Amnesty uncovered five additional Qualcomm vulnerabilities that were likely leveraged in coordinated attacks, with some remaining unaddressed past the industry-standard 90-day deadline.
Amnesty’s speculation on the use of zero-click attacks targeting Voice-over-Wifi or Voice-over-LTE features to implant spyware, as evidenced in instances involving suspicious messages and anomalous battery drain, paints a chilling picture of digital espionage in Serbia. These revelations underscore the need for stringent oversight and regulation of surveillance technologies to safeguard individuals’ rights and privacy in an increasingly interconnected world. As the ramifications of digital surveillance continue to unravel, organizations and governments must prioritize ethical use and accountability to prevent such flagrant abuses of power.