In February 2024, Serbian journalist Slaviša Milanov was taken to a police station following what seemed like a routine traffic stop. But after his release, the phone that he’d been asked to leave with police station reception staff was behaving oddly, and data and Wi-Fi settings were turned off, possible signs of hacking.
Milanov contacted Amnesty International’s Security Lab about the incident, which led to several remarkable discoveries: A commercial forensic tool widely used by police and intelligence forces around the world had been misused to plant previously unknown Android spyware on Milanov’s phone, using Qualcomm zero-day vulnerabilities, all without due process. The Amnesty investigation deepened from there to find at least three additional cases, and evidence for potentially “dozens, if not hundreds” more.
The findings, detailed in a new report from Amnesty, shed light on how Serbia spies on its own citizens, with help from Israel-based Cellebrite that Amnesty says violates international law and the product’s terms of use.
“Our investigation reveals how Serbian authorities have deployed surveillance technology and digital repression tactics as instruments of wider state control and repression directed against civil society,” Dinushika Dissanayake, Amnesty International’s Deputy Regional Director for Europe, said in a statement.
“It also highlights how Cellebrite mobile forensic products – used widely by police and intelligence services worldwide – can pose an enormous risk to those advocating for human rights, the environment and freedom of speech, when used outside of strict legal control and oversight.”
Cellebrite Abused to Install New ‘NoviSpy’ Android Spyware
Amnesty Security Lab identified a previously unknown spyware tool called “NoviSpy,” which while less powerful than better known tools like NSO Group’s Pegasus spyware, can nonetheless “capture sensitive personal data from a target phone and provide capabilities to turn on a phone’s microphone or camera remotely.”
Cellebrite forensic tools “are used to both unlock the phone prior to spyware infection and also allow the extraction of the data on a device,” Amnesty charged, adding that Cellebrite is investigating those claims.
“In at least two cases, Cellebrite UFED exploits (software that takes advantage of a bug or vulnerability) were used to bypass Android device security mechanisms, allowing the authorities to covertly install the NoviSpy spyware during police interviews,” Amnesty said.
“Our forensic evidence proves that the NoviSpy spyware was installed while the Serbian police had possession of Slaviša’s device, and the infection was dependent on the use of an advanced tool like Cellebrite UFED capable of unlocking the device,” stated Donncha Ó Cearbhaill, the Head of Amnesty International’s Security Lab.
A second case in Amnesty’s 87-page report involved an environmental activist, Nikola Ristić, with “similar forensic evidence of Cellebrite products used to unlock a device to enable subsequent NoviSpy infection.”
The report also details the history of use or procurement of spyware by Serbian authorities from Finfisher, NSO Group, and Intellexa, over the last decade.
Qualcomm Vulnerabilities Exploited for Android Spyware
Amnesty worked with Google’s Threat Analysis Group (TAG) on the investigation, which detailed its findings in a separate technical blog.
Among the findings were a zero-day Android use-after-free vulnerability (CVE-2024-43047) used in Cellebrite UFED that was “patched in the course of this research,” and the discovery of five additional Qualcomm vulnerabilities that were likely exploited in an attack chain.
Two of the vulnerabilities (CVE-2024-49848 and CVE-2024-21455) were not fixed by Qualcomm under the industry standard 90-day deadline, Google said, and CVE-2024-49848 remains unpatched 145 days after it was reported.
Zero-Click Attack Used to Install Android Spyware
Amnesty speculated that a zero-click attack may have been used in some cases targeting Voice-over-Wifi or Voice-over-LTE (VoLTE) functionality used in Android devices for Rich Communication Suite (RCS) calling. The report included a screenshot (republished below) of random, invalid numbers sent to one victim, after which the phone’s battery began to drain quickly.
