Serbian government used Cellebrite to unlock phones, install spyware
Serbian police and intelligence officers used Cellebrite forensic extraction software to unlock journalists’ and activists’ phones and install previously unknown Android spyware called NoviSpy, a new Amnesty International report claims.
The unlocking was made possible through exploitation of a zero-day vulnerability affecting chipsets made by Qualcomm.
In early October 2024, Qualcomm fixed CVE-2024-43047, reported by Google’s Threat Analysis Group (TAG) and Amnesty International as exploited in the wild. Google followed with a fix for Android in early November.
Cellebrite + NoviSpy
“In February 2024, Slaviša Milanov, an independent journalist from Dimitrovgrad in Serbia who covers local interest news stories, was brought into a police station after a seemingly routine traffic stop,” Amnesty International says.
“After Slaviša was released, he noticed that his phone, which he had left at the police station reception at the request of the officers, was acting strangely – the data and wi-fi settings were turned off. Aware that this can be a sign of hacking, and mindful of the surveillance threats facing journalists in Serbia, Slaviša contacted Amnesty International’s Security Lab to request an analysis of his phone.”
The analysis discovered evidence of Cellebrite use and traces of the NoviSpy malware, which allows operators to capture sensitive data and to switch on the device’s camera and microphone remotely.
Cellebrite’s technology has famously been used by US authorities to unlock devices belonging to shooters, most recently the person who tried to shoot US president-elect (then presidential candidate) Donald Trump.
“Slaviša’s Android phone was turned off when he surrendered it to police and at no point was he asked for nor did he provide the passcode,” Amnesty noted, and added that forensic evidence points to the spyware having been installed while the Serbian police were in possession of the journalist’s device, and following the use of Cellebrite to unlock the device.
A Serbian environmental activist, Nikola Ristić, has had his phone unlocked and compromised in the same way, they noted, and other activists have been saddled with the spyware during interviews with the Serbian Security Information Agency (BIA).
Having analyzed multiple samples of the NoviSpy spyware app they recovered from infected devices, Amnesty has confidently tied the spyware campaigns to the Serbian authorities.
The spyware communicates with servers hosted in Serbia, some on an IP address range associated with the BIA, and configuration data embedded in one spyware sample “ties back to a specific BIA employee, who was previously linked to Serbia’s efforts to procure Android spyware from the now defunct spyware vendor, Hacking Team.”
The spyware was removed from affected Android devices by Google, and the affected persons were alerted to having been the targets of a “government-backed attack”.
Google’s Project Zero team has published a technical analysis of exploit artifacts that the company’s Threat Analysis Group (TAG) received from Amnesty International, which allowed them to discover 6 vulnerabilities in the Qualcomm DSP driver (“adsprpc”), including the one exploited in the wild.
Qualcomm patched all except CVE-2024-49848, which “remains unfixed 145 days after it was reported.”
Tools of repression
Amnesty is, naturally, more concerned about making public Serbian authorities’ misuse of Cellebrite’s solution and various spyware to target civil society members.
“Serbia is a paradigmatic case of a system in which such tools can become core enablers of a digital crackdown, likely to be mirrored in other countries and contexts, which may well be happening already,” the organization says, noting the chiling effect digital surveillance has had on the targets and their vital work.
Cellebrite has said that they are investigating the claims made in the report. “Should they be validated, we are prepared to impose appropriate sanctions, including termination of Cellebrite’s relationship with any relevant agencies,” the company told Amnesty.
Another investigation will be effected by the United Nations Office for Project Services (UNOPS), which managed procurement of Cellebrite technology for Serbia’s Ministry of Interior, by way of a grant by the Norwegian Ministry of Foreign Affairs.