Amnesty International researchers discovered an Android zero-day bug that was exploited to silently disseminate custom surveillance spyware targeting Serbian journalists. The probe has traced the technology to Cellebrite, an Israeli forensics vendor.
In a technical report published earlier this week, the human rights group outlined how Serbia's Security Information Agency (BIA) and police employed Cellebrite's forensic extraction tools and a newly uncovered spyware dubbed 'NoviSpy' to infect journalists' and activists' devices. In one instance, a journalist's phone was allegedly hacked during a police traffic check, with the Cellebrite tool facilitating the infection.
Amnesty International warned that Serbia's legal restrictions on the use of mobile forensic tools are inadequate and that "the ability to download, in effect, an individual's entire digital life using Cellebrite UFED and similar mobile forensic tools, poses enormous human rights risks, if such tools are not subject to strict control and oversight.”
The report details the example of journalist Slaviša Milanov, whose Xiaomi Redmi Note 10S smartphone was hacked after a police confrontation in Serbia. Forensic investigation suggested the usage of a zero-day Android exploit to overcome encryption and unlock the device, allowing NoviSpy to be installed.
According to the group, the privilege escalation zero-day, which was patched in the Qualcomm October security update, affected Android devices with popular Qualcomm chipsets and millions of Android smartphones globally.
In another case, Amnesty International discovered an Android smartphone belonging to an environmental activist logging a series of missed calls including invalid, seemingly random numbers that are not acceptable in Serbia.
"After these calls, [the activist said] that the battery on his device drained quickly.”
The researchers inspected the device and discovered no trace of manipulation, but they warned that there is a substantial "knowledge gap" regarding zero-click assaults on Android smartphones.
Amnesty International acknowledged Cellebrite's claim that it has strict protocols to prevent product misuse, but cautioned that this revelation "provides clear evidence of a journalist's phone being targeted without any form of due process."
Unfortunately, Amnesty International discovered signs of the previously undisclosed NoviSpy spyware, which allows for the capture of sensitive personal data from a target's phone after infection and the ability to remotely activate the phone's microphone or camera.
“Forensic evidence indicates that the spyware was installed while the Serbian police were in possession of Slaviša’s device, and the infection was dependent on the use of Cellebrite to unlock the device. Two forms of highly invasive technologies were used in combination to target the device of an independent journalist, leaving almost his entire digital life open to the Serbian authorities,” the human rights group stated.
