A Serbian journalist had his phone first unlocked by a Cellebrite tool and subsequently compromised by a previously undocumented spyware codenamed NoviSpy, according to a new report published by Amnesty International.
“NoviSpy allows for capturing sensitive personal data from a target’s phone after infection and provides the ability to turn on the phone’s microphone or camera remotely,” the company said in an 87-page technical report.
An analysis of forensic evidence points to the spyware installation occurring when the phone belonging to independent journalist Slaviša Milanov was in the hands of the Serbian police during his detention in early 2024.
Some of the other targets included youth activist Nikola Ristić, environmental activist Ivan Milosavljević Buki, and an unnamed activist from Krokodil, a Belgrade-based organization promoting dialogue and reconciliation in the Western Balkans.
The development marks one of the first known instances where two disparate highly invasive technologies were used in combination to facilitate snooping and the exfiltration of sensitive data.
NoviSpy, in particular, is engineered to harvest various kinds of information from compromised phones, including screenshots of all actions on the phone, targets’ locations, audio and microphone recordings, files, and photos. It’s installed using the Android Debug Bridge (adb) command-line utility and manifests in the form of two applications –
- NoviSpyAdmin (com.serv.services), which requests extensive permissions to collect call logs, SMS messages, contact lists, and record audio through the microphone
- NoviSpyAccess (com.accesibilityservice), which abuses Android’s accessibility services to stealthily collect screenshots from email accounts and messaging apps like Signal and WhatsApp, exfiltrate files, track location, and activate camera
Exactly who developed NoviSpy is currently not known, although Amnesty told 404 Media that it could have either been built in-house by Serbian authorities or acquired from a third-party. Development of the spyware is said to have been ongoing since at least 2018.
“Together, these tools provide the state with an enormous capability to gather data both covertly, as in the case of spyware, and overtly, through the unlawful and illegitimate use of Cellebrite mobile phone extraction technology,” Amnesty International noted.
The non-governmental organization further noted that the Serbian Security Information Agency (BIA) has been publicly linked to the procurement of spyware tools since at least 2014, using various offerings such as FinFisher’s FinSpy, Intellexa’s Predator, and NSO Group’s Pegasus to covertly spy on protest organizers, journalists and civil society leaders.
In a statement shared with the Associated Press, Serbia’s police characterized the report as “absolutely incorrect” and that “the forensic tool is used in the same way by other police forces around the world.”
Responding to the findings, Israeli company Cellebrite said it’s investigating the claims of misuse of its tools and that it would take appropriate measures, including terminating its relationship with relevant agencies, if they are found to be in violation of its end-user agreement.
In tandem, the research also uncovered a zero-day privilege escalation exploit used by Cellebrite’s universal forensic extraction device (UFED) – a software/system that allows law enforcement agencies to unlock and gain access to data stored on mobile phones – to gain elevated access to a Serbian activist’s device.
The vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), is a user-after-free bug in Qualcomm’s Digital Signal Processor (DSP) Service (adsprpc) that could lead to “memory corruption while maintaining memory maps of HLOS memory.” It was patched by the chipmaker in October 2024.
Google, which initiated a “broader code review process” following the receipt of kernel panic logs generated by the in-the-wild (ITW) exploit earlier this year, said it discovered a total of six vulnerabilities in the adsprpc driver, including CVE-2024-43047.
“Chipset drivers for Android are a promising target for attackers, and this ITW exploit represents a meaningful real-world example of the negative ramifications that the current third-party vendor driver security posture poses to end-users,” Seth Jenkins of Google Project Zero said.
“A system’s cybersecurity is only as strong as its weakest link, and chipset/GPU drivers represent one of the weakest links for privilege separation on Android in 2024.”
The development comes as the European arm of the Center for Democracy and Technology (CDT), alongside other civil society organizations such as Access Now and Amnesty International, sent a letter to the Polish Presidency of the Council of the European Union, calling for prioritizing action against abuse of commercial surveillance tools.
It also follows a recent report from Lookout about how law enforcement authorities in Mainland China are using a lawful intercept tool codenamed EagleMsgSpy to gather a wide range of information from mobile devices after having gained physical access to them.
Earlier this month, the Citizen Lab further revealed that the Russian government detained a man for donating money to Ukraine and implanted spyware, a trojanized version of a call recorder app, on his Android phone before releasing him.
