Serbian Police Used Cellebrite to Spy on Journalist

Surveillance Concerns: Cellebrite Tools Used in Spyware Infections

Recent findings indicate that a Serbian journalist and an activist experienced phone hacking facilitated by local authorities. This intrusion was achieved utilizing a cellphone-unlocking device manufactured by Cellebrite, a prominent forensic tool provider.

The objective of the authorities extended beyond simply gaining access to personal data through unlocking the devices. According to a new report released by Amnesty International, the intent was to deploy spyware for continued monitoring.

First Documented Cases of Cellebrite-Enabled Spyware

Amnesty International asserts that these instances represent the initial forensically verified cases of spyware infections directly enabled by the utilization of Cellebrite tools.

This method, while basic, proves remarkably effective. It exemplifies one of numerous strategies employed by governments to conduct surveillance on their populations.

The Rise of Spyware and Government Surveillance

Over the past ten years, organizations like Amnesty International and Citizen Lab have meticulously documented numerous instances of governmental use of sophisticated spyware.

These tools, developed by Western surveillance technology companies – including NSO Group, Intellexa, and the former Hacking Team – were used to remotely compromise the devices of dissidents, journalists, and political adversaries.

Shifting Tactics in the Face of Increased Security

As the cost of exploiting zero-day vulnerabilities and deploying remotely installed spyware increases due to advancements in security measures, authorities may increasingly turn to less complex techniques.

This includes physically obtaining the targeted phones to facilitate hacking attempts.

Potential for Abuse Within the United States

Although many documented cases of spyware misuse have occurred internationally, there’s no assurance that similar activities aren’t happening—or won’t happen—within the United States.

Reports from Forbes in November revealed that the Department of Homeland Security’s Immigration and Customs Enforcement (ICE) allocated $20 million for the acquisition of phone hacking and surveillance technologies, including Cellebrite.

Considering the previously stated plans for large-scale deportations, experts express concern that ICE may escalate its surveillance operations under the incoming administration.

This raises significant questions about privacy and civil liberties within the country.

An Overview of Early Spyware Development

Patterns from the past frequently resurface. What appears novel, even if previously unrecorded, often represents a continuation of prior events.

Two decades ago, while governmental spyware was present but largely unknown to the antivirus sector responsible for defense, the method of deploying spyware involved physical access to a target’s computer. Law enforcement agencies required direct, physical access to a device – sometimes necessitating unlawful entry into a home or workplace – to manually install the malicious software.

Early Deployment Methods

Consequently, initial iterations of spyware, such as those developed by Hacking Team in the mid-2000s, were engineered for execution from USB drives or compact discs. Prior to this, in 2001, the FBI physically infiltrated the office of Nicodemo Scarfo, a known mobster, to install spyware.

This spyware was designed to record Scarfo’s keystrokes, aiming to capture the encryption key used for his email correspondence.

These older methods are now experiencing a resurgence in usage, though not necessarily out of practical need.

Recent Instances of Physical Spyware Installation

In early 2024, Citizen Lab reported an incident where the Russian Federal Security Service (FSB) allegedly installed spyware on the mobile phone of Kirill Parubets.

Parubets, a Russian political activist residing in Ukraine since 2022, was subjected to this intrusion while in custody. Russian authorities compelled him to reveal his phone’s passcode before installing spyware capable of accessing his personal information.

Surveillance and Data Extraction

Recent investigations conducted by Amnesty International in Serbia have revealed the presence of previously unknown spyware on the mobile devices of journalist Slaviša Milanov and activist Nikola Ristić.

The incident involving Milanov began in February 2024 with a seemingly standard traffic stop by local law enforcement. Following the stop, he was taken to a police station where his Xiaomi Redmi Note 10S Android phone was confiscated during questioning, as reported by Amnesty International.

Upon the phone’s return, Milanov observed unusual behavior.

“I immediately observed that both my mobile data and Wi-Fi connectivity were disabled. My phone is typically configured to have mobile data always enabled, and this deviation immediately raised my suspicions of unauthorized access,” Milanov explained in a recent interview with TechCrunch.

Milanov subsequently utilized StayFree, an application designed to monitor app usage, and discovered significant activity within various applications while the phone was purportedly powered off and in police custody. He emphasized that authorities did not request or compel him to reveal his phone’s passcode.

“The application logs indicated that between 11:54 a.m. and 1:08 p.m., the Settings, Security, File Manager, Google Play Store, Recorder, Gallery, and Contacts applications were all actively used, coinciding precisely with the period my phone was not in my possession,” Milanov stated.

“Approximately 1.6 GB of data was extracted from my device during this timeframe,” he added.

Milanov expressed considerable distress and concern regarding the potential compromise of his privacy, prompting him to seek a forensic examination of his phone by Amnesty International.

Donncha Ó Cearbhaill, leading Amnesty’s Security Lab, confirmed that Milanov’s phone had been accessed using Cellebrite technology and subsequently infected with a novel Android spyware. Amnesty has designated this spyware as NoviSpy, derived from the Serbian word meaning “new.”

Widespread Use of Spyware Targeting Civil Society Suspected

Analysis conducted by Amnesty International regarding the NoviSpy spyware, coupled with identified operational security lapses, indicates that Serbian intelligence agencies are likely responsible for its development.

The Amnesty report details how the spyware was employed to surreptitiously infect mobile devices during arrests, periods of detention, or even during routine informational interviews with individuals involved in civil society organizations. In numerous instances, it appears that arrests or detentions were deliberately arranged to facilitate covert access to devices, enabling data extraction or the installation of the spyware, as stated by Amnesty.

Based on the presence of Serbian language comments and code strings, and its programming to connect with servers located within Serbia, Amnesty believes NoviSpy was likely created within the country.

An oversight by Serbian authorities enabled Amnesty researchers to establish a connection between NoviSpy and the Serbian Security Information Agency (Bezbednosno-informaciona Agencija, or BIA), along with one of its servers.

Researchers discovered that NoviSpy was engineered to communicate with a specific Internet Protocol address: 195.178.51.251.

This very same IP address was previously associated with an agent within the Serbian BIA in 2015. Citizen Lab identified the address as “DPRODAN-PC” on Shodan, a search engine for internet-connected devices. Further investigation revealed that an individual using an email address containing “dprodan” had contacted the spyware vendor Hacking Team requesting a demonstration in February 2012. Leaked emails from Hacking Team confirm a demonstration took place in Belgrade around that time, leading Citizen Lab to conclude that “dprodan” is a BIA employee.

According to Amnesty, the IP address range identified by Citizen Lab in 2015 (195.178.51.xxx) remains linked to the BIA, with the BIA’s public website recently hosted within that range.

Forensic analysis performed by Amnesty on devices belonging to two dozen Serbian civil society members – predominantly Android users – revealed further infections with NoviSpy. Evidence within the spyware’s code suggests extensive use by both the BIA and the Serbian police, according to Amnesty.

Requests for comment sent to the BIA and the Serbian Ministry of Internal Affairs, which oversees the Serbian police, received no response.

The NoviSpy code includes what researchers believe to be a sequentially increasing user ID. One victim’s device displayed an ID of 621, while another, infected approximately a month later, had an ID exceeding 640, indicating that authorities may have infected over 20 individuals within that timeframe. A 2018 version of NoviSpy was found on VirusTotal, an online malware repository, suggesting the spyware has been in development for several years.

Amnesty’s investigation also uncovered a zero-day exploit affecting Qualcomm chipsets, used against a Serbian activist, potentially utilizing Cellebrite technology. Qualcomm announced a fix for this vulnerability in October, following Amnesty’s disclosure.

Victor Cooper, a spokesperson for Cellebrite, stated that their tools cannot be used to install malware, requiring a “third-party” to perform such actions.

While declining to disclose customer details, the Cellebrite spokesperson indicated a willingness to “investigate further.” The company affirmed that it would “reassess” its business relationship with Serbia if violations of its end-user agreement were confirmed.