Serbian police and intelligence authorities are using advanced mobile spyware and mobile forensics products to illegally target journalists, environmental activists and other individuals in covert surveillance operations, a new Amnesty International report reveals.
The report stated, ‘Digital Prison’: Surveillance and Repression in Serbian Civil Society,” Documented how mobile forensics products made by Israeli company Cellebrite were used to extract information from the mobile devices of journalists and activists. It also reveals how the Serbian Police and Security Information Agency (Bezbedonosno-informativna Agencija – BIA) used NoviSpy, a customized Android spyware system, to covertly infect individuals’ devices during detention or police interrogation.
Dinushika Dissanayake, Amnesty International’s deputy regional director for Europe, said: “Our investigation reveals how Serbian authorities deploy surveillance technology and digital repression tactics as part of wider state control and repression of civil society tools.
“It also highlights the huge consequences that Cellebrite operational forensics products – widely used by police and intelligence services around the world – can bring to those advocating for human rights, the environment and freedom of expression when used outside of strict legal controls and oversight. risk.
How to use Cellebrite and NoviSpy to locate devices
Cellebrite is a company founded in Israel and headquartered in Israel but with offices worldwide that develops the Cellebrite UFED product suite for law enforcement agencies and government entities. It can extract data from a variety of mobile devices, including some of the latest Android devices and iPhone models, without even needing to access the device’s password.
While technically less advanced than highly intrusive commercial spyware such as Pegasus, NoviSpy, a previously unknown Android spyware, could still provide Serbian authorities with extensive surveillance capabilities once installed on a target device.
NoviSpy can capture sensitive personal data from a target phone and provide the ability to remotely turn on the phone’s microphone or camera, while the Cellebrite forensic tool is used to unlock the phone before spyware infection and allows the extraction of data on the device.
Crucially, Amnesty International uncovered forensic evidence showing how Serbian authorities used Cellebrite products to infect activists’ phones with the NoviSpy spyware. In at least two cases, Cellebrite UFED vulnerabilities (software that exploits bugs or vulnerabilities) were used to bypass Android device security, allowing authorities to covertly install the NoviSpy spyware during police interviews.
Amnesty International also discovered how Serbian authorities used Cellebrite to exploit zero-day vulnerabilities in Android devices (software flaws that are unknown to the original software developer and for which a software fix cannot be provided) to gain privileged access to environmental activists. . The vulnerability, discovered in collaboration with security researchers from Google’s Project Zero and Threat Analysis Groups, affects millions of Android devices around the world that use popular Qualcomm chipsets. An update to fix the security issue was released in the October 2024 Qualcomm Security Bulletin.
Cellebrite phone hacks and spyware infections pose threat to journalists, activists
In February 2024, Serbian independent investigative journalist Slavisa Milanov was arrested and detained by the police for conducting a drunk driving test. While in custody, Slavisa was questioned by plainclothes police about his journalistic work. Slavisa’s Android phone was switched off when he handed it over to police, and he was never asked for a password and did not provide one.
After his release, Slavisa noticed that the mobile phone he had left at the police station reception desk during interrogation appeared to have been tampered with and that his mobile data had been turned off.
He asked the Amnesty International Security Lab to perform forensic analysis on his phone, a Xiaomi Redmi Note 10S. Analysis revealed that Cellebrite’s UFED product was used to covertly unlock Slaviša’s phone while he was in custody.
Other forensic evidence shows that Serbian authorities then used NoviSpy to infect Slavisa’s phone. The second case in the report involves environmentalist Nikola Ristić, who found forensic evidence that similar Cellebrite products were used to unlock devices to enable subsequent NoviSpy infections.
“Our forensic evidence proves that the NoviSpy spyware was installed when the Serbian police took possession of the Slaviša device, and that the infection relied on the use of advanced tools capable of unlocking the device, such as Cellebrite UFED. Amnesty International has a high degree of confidence that the NoviSpy spyware was the work of the BIA.
Activists infected with NoviSpy while filing complaints with police or BIA
This tactic of covertly installing spyware on people’s devices during detention or interviews appears to be widely used by authorities.
In another case, an activist from Krokodil, an organization that promotes dialogue and reconciliation in the Western Balkans, was interviewed by BIA officials in October 2024 when his phone, a Samsung Galaxy S24+, was infected with spyware.
The activist was invited to the BIA’s offices in Belgrade to provide information about attacks on its offices by Russian-speakers, ostensibly to counter Crokodil’s public condemnation of Russia’s invasion of Ukraine.
After the interview, the activist suspected that his phone had been tampered with. At their request, Amnesty International conducted a forensic investigation and discovered that NoviSpy was installed on the device during the BIA interview. Amnesty International was also able to recover and decrypt surveillance data captured by NoviSpy when activists were using their mobile phones, which included email accounts, Signal and WhatsApp messages, and screenshots of social media activity.
Amnesty International reported NoviSpy spyware activity to Android and Google security researchers prior to release, who took action to remove the spyware from affected Android devices. Google also issued a round of “state-sponsored attack” alerts to individuals they identified as possible targets of the campaign.
The impact of state digital surveillance and repression strategies on Serbian civil society
Serbian activists have been traumatized by the attacks.
“This is a very effective method of completely blocking communication between people. Anything you say can be used against you, which is paralyzing on a personal and professional level,” Become a Pegasus Spy Soft Target activist Blanco* said.
Such goals also lead to self-censorship.
“We are all in a form of digital prison, digital gulag. We have the illusion of freedom, but in fact we have no freedom at all. This has two effects: You either choose to self-censor, which profoundly affects your ability to do your job. , or you choose to speak out anyway, in which case you must be prepared to face the consequences of also targeting the Pegasus spyware.
Aleksandar*, an activist who was also targeted by the Pegasus spyware, said: “My privacy was violated and it completely destroyed my sense of personal security. It caused huge anxiety… I panicked and became very isolated.
In response to the findings, NSO Group, which develops Pegasus, could not confirm whether Serbia was a customer but said the group “takes seriously its responsibility to respect human rights and is firmly committed to avoiding causing, contributing to or being directly linked to negative human rights impacts, and thoroughly review all credible allegations of misuse of NSO Group products.
In response to our findings, Cellebrite said: “Our digital investigation software solutions do not install malware or perform real-time monitoring consistent with spyware or any other type of offensive network activity.
“We are grateful to Amnesty International for highlighting the allegations of misuse of our technology. We take seriously all allegations that all relevant customers may have misused our technology in a manner that breaches the express and implied conditions of our end user agreement.
“We are investigating the claims in this report. If they are proven, we are prepared to impose appropriate sanctions, including terminating Cellebrite’s relationship with any relevant agencies.
Amnesty International shared the findings of the study with the Serbian government ahead of its publication but has yet to receive a response.
Serbian authorities must stop using highly intrusive spyware and provide effective remedies to victims of unlawful targeted surveillance and hold those responsible for violations accountable. Cellebrite and other digital forensics companies must also conduct adequate due diligence to ensure that their products are not used in a way that results in human rights violations.
State repression and a hostile environment for free speech advocates in Serbia have escalated with each wave of anti-government protests over the past few years. Authorities conducted an ongoing smear campaign against NGOs, media outlets, and journalists, and engaged in arrests and judicial harassment of those participating in peaceful protests.
*Names have been changed to protect identity
