A recent report by Amnesty International has shed light on the use of Cellebrite forensic extraction software by Serbian police and intelligence officers to unlock journalists’ and activists’ phones. The report also reveals the installation of a previously unknown Android spyware called NoviSpy on these devices.
The unlocking of the phones was made possible through the exploitation of a zero-day vulnerability affecting chipsets made by Qualcomm. In response to this, Qualcomm released a fix for CVE-2024-43047 in early October 2024, which was reported to have been exploited in the wild. Google followed with a fix for Android in early November.
One of the journalists affected by this digital intrusion was Slaviša Milanov, an independent journalist from Dimitrovgrad in Serbia. During a routine traffic stop, Slaviša was brought into a police station where his phone was left at the reception at the request of the officers. After he noticed suspicious activity on his phone, he contacted Amnesty International’s Security Lab for analysis, revealing traces of Cellebrite use and the presence of the NoviSpy malware.
The spyware allows operators to capture sensitive data and remotely activate the device’s camera and microphone. Similar incidents were reported involving other activists, with evidence pointing to the Serbian authorities as the culprits behind the spyware campaigns.
Amnesty International conducted a thorough analysis of the NoviSpy spyware app recovered from infected devices, linking it confidently to the Serbian authorities. The spyware communicated with servers hosted in Serbia, some of which were associated with the Serbian Security Information Agency (BIA). Configuration data embedded in one spyware sample even tied back to a specific BIA employee.
Google’s Project Zero team further investigated the exploit artifacts provided by Amnesty International, uncovering 6 vulnerabilities in the Qualcomm DSP driver, including the one exploited in the wild. While Qualcomm patched most of the vulnerabilities, CVE-2024-49848 remains unfixed even 145 days after it was reported.
Amnesty International expressed concerns over the misuse of Cellebrite’s solution and spyware tools by Serbian authorities to target civil society members, citing the chilling effect of digital surveillance on their work. Cellebrite has stated that they are investigating the claims made in the report and are prepared to impose sanctions if necessary.
An additional investigation will be conducted by the United Nations Office for Project Services (UNOPS) regarding the procurement of Cellebrite technology for Serbia’s Ministry of Interior. The investigation follows a grant from the Norwegian Ministry of Foreign Affairs.
Overall, the report highlights the growing concerns surrounding digital surveillance and the use of spyware as tools of repression by authorities. It serves as a stark reminder of the need for robust cybersecurity measures to protect individuals and their privacy in an increasingly digital world.