A Serbian journalist had his phone first unlocked by a Cellebrite tool and subsequently compromised by a previously undocumented spyware codenamed NoviSpy, according to a new report published by Amnesty International.
“NoviSpy allows for capturing sensitive personal data from a target’s phone after infection and provides the ability to turn on the phone’s microphone or camera remotely,” the company said in an 87-page technical report.
An analysis of forensic evidence points to the spyware installation occurring when the phone belonging to independent journalist Slaviša Milanov was in the hands of the Serbian police during his detention in early 2024.
Some of the other targets included youth activist Nikola Ristić, environmental activist Ivan Milosavljević Buki, and an unnamed activist from Krokodil, a Belgrade-based organization promoting dialogue and reconciliation in the Western Balkans.
The development marks one of the first known instances where two disparate highly invasive technologies were used in combination to facilitate snooping and the exfiltration of sensitive data.
NoviSpy, in particular, is engineered to harvest various kinds of information from compromised phones, including screenshots of all actions on the phone, targets’ locations, audio and microphone recordings, files, and photos. It’s installed using the Android Debug Bridge (adb) command-line utility and manifests in the form of two applications –
Exactly who developed NoviSpy is currently not known, although Amnesty told 404 Media that it could have either been built in-house by Serbian authorities or acquired from a third-party. Development of the spyware is said to have been ongoing since at least 2018.
“Together, these tools provide the state with an enormous capability to gather data both covertly, as in the case of spyware, and overtly, through the unlawful and illegitimate use of Cellebrite mobile phone extraction technology,” Amnesty International noted.
Responding to the findings, Israeli company Cellebrite said it’s investigating the claims of misuse of its tools and that it would take appropriate measures, including terminating its relationship with relevant agencies, if they are found to be in violation of its end-user agreement.
In tandem, the research also uncovered a zero-day privilege escalation exploit used by Cellebrite’s universal forensic extraction device (UFED) – a software/system that allows law enforcement agencies to unlock and gain access to data stored on mobile phones – to gain elevated access to a Serbian activist’s device.
The vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), is a user-after-free bug in Qualcomm’s Digital Signal Processor (DSP) Service (adsprpc) that could lead to “memory corruption while maintaining memory maps of HLOS memory.” It was patched by the chipmaker in October 2024.
Google, which initiated a “broader code review process” following the receipt of kernel panic logs generated by the in-the-wild (ITW) exploit earlier this year, said it discovered a total of six vulnerabilities in the adsprpc driver, including CVE-2024-43047.
“Chipset drivers for Android are a promising target for attackers, and this ITW exploit represents a meaningful real-world example of the negative ramifications that the current third-party vendor driver security posture poses to end-users,” Seth Jenkins of Google Project Zero said.
“A system’s cybersecurity is only as strong as its weakest link, and chipset/GPU drivers represent one of the weakest links for privilege separation on Android in 2024.”
The development comes as the European arm of the Center for Democracy and Technology (CDT), alongside other civil society organizations such as Access Now and Amnesty International, sent a letter to the Polish Presidency of the Council of the European Union, calling for prioritizing action against abuse of commercial surveillance tools.
It also follows a recent report from Lookout about how law enforcement authorities in Mainland China are using a lawful intercept tool codenamed EagleMsgSpy to gather a wide range of information from mobile devices after having gained physical access to them.
Earlier this month, the Citizen Lab further revealed that the Russian government detained a man for donating money to Ukraine and implanted spyware, a trojanized version of a call recorder app, on his Android phone before releasing him.