Pierluigi Paganini December 16, 2024

Researchers warn of previously undetected surveillance spyware, named NoviSpy, that was found infecting a Serbian journalist’s phone.

In February 2024, Serbian journalist Slaviša Milanov was summoned to a police station after a routine traffic stop. After the police released him, Milanov noticed suspicious changes to his phone settings, such as disabled data and Wi-Fi. Then he requested help from Amnesty International’s Security Lab fearing to be the target of surveillance software like other journalists in Serbia.

Amnesty International made two disconcerting discoveries while investigating the case of Milanov’s phone. First, forensic traces showed that Serbian police used a Cellebrite tool to unlock and extract data from his device without informing him, obtaining legal consent, or disclosing the search’s purpose. Second, the analysis revealed a previously undetected spyware, named “NoviSpy,” which can extract personal data, activate the device’s microphone or camera, and was installed during police possession of his phone. The spyware’s deployment relied on Cellebrite’s unlocking process, combining two invasive technologies to compromise the journalist’s digital privacy comprehensively.

NoviSpy can extract sensitive data from compromised Android devices, including screenshots, location data, audio recordings, files, and photos. The malware is deployed via the Android Debug Bridge (adb) command-line utility.

NoviSpy spyware samples from devices analyzed by Amnesty were controlled by C2 servers in Serbia. The experts also discovered that one spyware configuration linked to an IP range associated with Serbia’s intelligence agency, the BIA, and to a specific BIA employee tied to past spyware procurement efforts. Evidence, including the spyware’s installation during BIA interviews, attributes these surveillance campaigns with high confidence to the BIA and Serbian government.

Serbian authorities also extensively and illegitimately used the Cellebrite extraction suite to download personal data from the phones of journalists and protest organizers.

“In at least two cases Amnesty International documented, the Cellebrite UFED product and associated exploits were used to covertly bypass phone security features, enabling Serbian authorities to infect the devices with NoviSpy spyware. These covert infections, which also occurred during interviews with police or BIA, were only possible because of the capabilities provided by advanced technology like Cellebrite UFED to bypass device encryption.” reads the report published by Amnesty. “While activists have long expressed concerns about spyware infections occurring during police interviews, Amnesty International believes that this report describes the first forensically documented spyware infections enabled by the use of Cellebrite mobile forensic technology.”

Amnesty International’s Security Lab also discovered that the extraction tool Cellebrite UFED exploited a Qualcomm Multiple Chipsets Use-After-Free zero-day vulnerability CVE-2024-43047, which Google patched in November. A joint effort of Amnesty International and Google allowed to identify the exploit from the analysis of forensic logs found on the phone of a protest organizer detained by Serbian police.

Other targets of the NoviSpy spyware campaign included the activist Nikola Ristić, environmental activist Ivan Milosavljević Buki, and an unnamed activist from Krokodil, a Belgrade-based NGO.

At this time, the origin of NoviSpy remains unclear. It may have been developed internally by Serbian authorities or purchased from a third party surveillance vendor. Development traces back to at least 2018.

“The report also highlights emerging surveillance tactics including the widespread use of invasive digital forensic tools to collect data from peaceful protestors not charged with any crime.” continues the report. “As security improvements make zero-click and other remote spyware attacks prohibitively expensive or unfeasible, authorities may increasingly turn to infecting devices with spyware through physical access to a device. Indeed, some States have proposed specific legislation to allow secret break-ins to homes in order to infect devices with targeted spyware.”

Serbia’s police labeled the Amnesty report as “absolutely incorrect.”

“Serbia’s police said in a statement that the Amnesty report is “absolutely incorrect,” but also added that “the forensic tool is used in the same way by other police forces around the world.”” reported the Associated Press.

“Serbia must commit to immediately stop using highly invasive spyware and carry out prompt, independent and impartial investigations into all documented and reported cased of unlawful digital surveillance.” concludes the report. “It also must take concrete steps to ensure that digital technologies are not misused to violate human rights, including by putting in place and robustly enforcing a legal framework that provides meaningful procedural safeguards, effective systems of control and oversight through judicial review, and effective mechanisms for redress for victims.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NoviSpy)