Serbian police and intelligence authorities are using advanced phone spyware alongside mobile phone forensic products to unlawfully target journalists, environmental activists and other individuals in a covert surveillance campaign, a new Amnesty International report has revealed.
Amnesty International, December 16, 2024
Serbian independent investigative journalist Slaviša Milanov whose phone was infected with spyware seated in front of his laptop. Photo courtesy of Dragan Gmizic.
The report, “A Digital Prison”: Surveillance and the Suppression of Civil Society in Serbia,” documents how mobile forensic products made by Israeli company Cellebrite are being used to extract data from mobile devices belonging to journalists and activists. It also reveals how the Serbian police and the Security Information Agency (Bezbedonosno-informativna Agencija – BIA) have used a bespoke Android spyware system, NoviSpy, to covertly infect individuals’ devices during periods of detention or police interviews.
“Our investigation reveals how Serbian authorities have deployed surveillance technology and digital repression tactics as instruments of wider state control and repression directed against civil society,” said Dinushika Dissanayake, Amnesty International’s Deputy Regional Director for Europe.
“It also highlights how Cellebrite mobile forensic products – used widely by police and intelligence services worldwide – can pose an enormous risk to those advocating for human rights, the environment and freedom of speech, when used outside of strict legal control and oversight.”
How Cellebrite and Novi spy is used to target devices
Cellebrite, a firm founded and headquartered in Israel but with offices globally, develops the Cellebrite UFED suite of products for law enforcement agencies and government entities. It enables the extraction of data from a wide range of mobile devices including some of the most recent Android devices and iPhone models, even without access to the device passcode.
While less technically advanced than highly-invasive commercial spyware like Pegasus, NoviSpy – a previously unknown Android spyware – still provides Serbian authorities with extensive surveillance capabilities once installed on a target’s device.
NoviSpy can capture sensitive personal data from a target phone and provide capabilities to turn on a phone’s microphone or camera remotely, while Cellebrite forensic tools are used to both unlock the phone prior to spyware infection and also allow the extraction of the data on a device.
Critically, Amnesty International uncovered forensic evidence showing how Serbian authorities used Cellebrite products to enable NoviSpy spyware infections of activists’ phones. In at least two cases, Cellebrite UFED exploits (software that takes advantage of a bug or vulnerability) were used to bypass Android device security mechanisms, allowing the authorities to covertly install the NoviSpy spyware during police interviews.
Amnesty International also identified how Serbian authorities used Cellebrite to exploit a zero-day vulnerability (a software flaw which is not known to the original software developer and for which a software fix is not available) in Android devices to gain privileged access to an environmental activist’s phone. The vulnerability, identified in collaboration with security researchers at Google Project Zero and Threat Analysis Group, affected millions of Android devices worldwide that use the popular Qualcomm chipsets. An update fixing the security issue was released in the October 2024 Qualcomm Security Bulletin.
Cellebrite phone hacking and spyware infection threats to journalists and activists
In February 2024, Serbian independent investigative journalist Slaviša Milanov was arrested and detained by police under the pretext of performing a test for driving under the influence of alcohol. While in detention, Slaviša was questioned by plain-clothes officers about his journalism work. Slaviša’s Android phone was turned off when he surrendered it to police and at no point was he asked for nor did he provide the passcode.
After his release, Slaviša noticed that his phone, which he had left at the police station reception during his interrogation, appeared to have been tampered with, and his phone data was turned off.
He requested Amnesty International’s Security Lab to conduct a forensic analysis of his phone – a Xiaomi Redmi Note 10S. The analysis revealed that Cellebrite’s UFED product was used to secretly unlock Slaviša’s phone during his detention.
Additional forensic evidence showed that NoviSpy was then used by Serbian authorities to infect Slaviša’s phone. A second case in the report, involving an environmental activist, Nikola Ristić, found similar forensic evidence of Cellebrite products used to unlock a device to enable subsequent NoviSpy infection.
“Our forensic evidence proves that the NoviSpy spyware was installed while the Serbian police had possession of Slaviša’s device, and the infection was dependent on the use of an advanced tool like Cellebrite UFED capable of unlocking the device. Amnesty International attributes the NoviSpy spyware to BIA with high confidence,” said Donncha Ó Cearbhaill, the Head of Amnesty International’s Security Lab.
Activists infected with novispy while making complaints to the police or bia
This tactic of installing spyware covertly on people’s devices during detention or interviews appears to have been widely used by the authorities.
In another case, an activist from Krokodil, an organization promoting dialogue and reconciliation in the Western Balkans, had their phone, a Samsung Galaxy S24+, infected with spyware during an interview with BIA officials in October 2024.
The activist was invited to BIA’s office in Belgrade to provide information about an attack on their offices by Russian speaking people ostensibly in opposition to Krokodil’s public condemnation of Russia’s invasion of Ukraine.
After the interview, the activist suspected that their phone had been tampered with. At their request, Amnesty International carried out a forensic investigation which found that NoviSpy had been installed on the device during the BIA interview. Amnesty International was also able to recover and decrypt surveillance data captured by NoviSpy while the activist was using their phone, which included screenshots of email accounts, Signal and WhatsApp messages and social media activity.
Amnesty International reported the NoviSpy spyware campaign to security researchers at Android and Google before publication, who took action to remove the spyware from affected Android devices. Google has also sent out a round of “Government-backed attack” alerts to individuals they identified as possible targets of this campaign.
Impact of state digital surveillance and repression tactics on Serbian civil society
A Serbian protester speaking to a crowd through a megaphone. Photo courtesy of SviCe.
Serbian activists have been left traumatised by the targeting.
“This is an incredibly effective way to completely discourage communication between people. Anything that you say could be used against you, which is paralyzing at both personal and professional levels,” said Branko*, an activist who was targeted with Pegasus spyware.
The targeting has also resulted in self-censorship.
“We are all in the form of a digital prison, a digital gulag. We have an illusion of freedom, but in reality, we have no freedom at all. This has two effects: you either opt for self-censorship, which profoundly affects your ability to do work, or you choose to speak up regardless, in which case, you have to be ready to face the consequences,” said Goran*, an activist also targeted with Pegasus spyware.
Activist, Aleksandar* who was also targeted with Pegasus spyware, said: “My privacy was invaded, and this completely shattered my sense of personal security. It caused huge anxiety…I felt a sense of panic and became quite isolated.”
In a response to these findings, NSO Group, which developed Pegasus, could not confirm whether Serbia was its customer but stated that the Group “takes seriously its responsibility to respect human rights, and is strongly committed to avoiding causing, contributing to, or being directly linked to negative human rights impacts, and thoroughly review all credible allegations of misuse of NSO Group products.”
In response to our findings, Cellebrite said, “Our digital investigative software solutions do not install malware nor do they perform real-time surveillance consistent with spyware or any other type of offensive cyber activity.
“We appreciate Amnesty International highlighting the alleged misuse of our technology. We take all allegations seriously of a customer’s potential misuse of our technology in ways that would run counter to both explicit and implied conditions outlined in our end-user agreement.
“We are investigating the claims made in this report. Should they be validated, we are prepared to impose appropriate sanctions, including termination of Cellebrite’s relationship with any relevant agencies.”
In response to Amnesty International’s queries sent early during the research process, Cellebrite said its products “are licensed strictly for lawful use, require a warrant or consent to help law enforcement agencies with legally sanctioned investigations after a crime has taken place.”
While this may be the intended use, Amnesty International’s research demonstrates how Cellebrite’s products can be misused to enable spyware deployment and the broad collection of data from mobile phones outside of justified criminal investigations, posing grave risks to human rights.
Amnesty International has shared the findings of this research with the Serbian government ahead of the publication but has not received a response.
Serbian authorities must stop using highly invasive spyware and provide effective remedy to victims of unlawful targeted surveillance and hold those responsible for the violations to account. Cellebrite and other digital forensic companies also must conduct adequate due diligence to ensure that their products are not used in a way which contributes to human rights abuses.
Over the past years, state repression and a hostile environment for free speech advocates in Serbia has escalated with each wave of anti-government protests. The authorities have engaged in sustained smear campaigns against NGOs, media and journalists and have also subjected those involved in peaceful protest to arrests and judicial harassment.
*Name changed to protect identity
© 2024 Amnesty International