The Serbian government is using advanced mobile forensics products from Israeli surveillance firm Cellebrite to spy on journalists and environmental and civil rights activists, according to an Amnesty International report.
Amnesty shared findings from its Security Lab showing the use of spyware by the Serbian police forces and intelligence services in its report titled A Digital Prison: Surveillance and the suppression of civil society in Serbia, published on December 16.
The report uncovered the use of NoviSpy, a previously unknown bespoke Android spyware tool.
The Serbian police and the Security Information Agency (Bezbedonosno-informativna Agencija – BIA) have been accused using NoviSpy to covertly infect individuals’ devices during periods of detention or police interviews.
Targets include Serbian independent investigative journalist Slaviša Milanov, environmental activist Nikola Ristić, and an unnamed activist from Krokodil, an organization promoting dialogue and reconciliation in the Western Balkans.
The Serbian authorities have also been observed using mobile forensics products from Israeli firm Cellebrite. These tools enable the extraction of data from a wide range of mobile devices, including some of the most recent Android devices and iPhone models, even without access to the device passcode.
How NoviSpy is Used With Cellebrite Forensics Tools
While less technically advanced than the notorious commercial spyware Pegasus, NoviSpy “still provides Serbian authorities with extensive surveillance capabilities once installed on a target’s device,” said Amnesty.
Amnesty’s forensic evidence showed how Serbian authorities used Cellebrite products to enable NoviSpy spyware infections of activists’ phones.
NoviSpy captures sensitive personal data from a target phone and provides capabilities to turn on a device’s microphone or camera remotely. Cellebrite forensic tools unlock the phone prior to spyware infection and allow the extraction of the data on a device.
In at least two cases, Cellebrite exploits were used to bypass Android device security mechanisms, allowing the authorities to covertly install the NoviSpy spyware during police interviews.
The Amnesty researchers also identified how Serbian authorities used Cellebrite to exploit a zero-day vulnerability in Android devices to gain privileged access to an environmental activist’s phone.
“The vulnerability, identified in collaboration with security researchers at Google Project Zero and Threat Analysis Group, affected millions of Android devices worldwide that use the popular Qualcomm chipsets. An update fixing the security issue was released in the October 2024 Qualcomm Security Bulletin,” said the report.
Cellebrite Prepared to Impose Sanctions on Serbia
In response to Amnesty’s findings, Cellebrite said: “Our digital investigative software solutions do not install malware nor do they perform real-time surveillance consistent with spyware or any other type of offensive cyber activity.”
“We appreciate Amnesty International highlighting the alleged misuse of our technology. We take all allegations seriously of a customer’s potential misuse of our technology in ways that would run counter to both explicit and implied conditions outlined in our end-user agreement.
The company also said it was investigating the claims made in the report and is willing to “impose appropriate sanctions, including termination of Cellebrite’s relationship with any relevant agencies.”
Amnesty also shared the findings with the Serbian government before the publication but has not received a response.
Read now: Lookout Discovers New Spyware Deployed by Russia and China