A new investigation by Amnesty International has revealed a sophisticated surveillance operation in Serbia that combined multiple spyware tools to target journalists, activists, and civil society members.
The investigation uncovered a previously unknown spyware called "NoviSpy" being deployed alongside Cellebrite's forensic tools to compromise Android devices.
The case came to light in February 2024 when Slaviša Milanov, an independent journalist from Dimitrovgrad, Serbia, noticed suspicious behavior on his phone after a routine traffic stop where police temporarily possessed his device.
Forensic analysis by Amnesty International's Security Lab revealed that authorities had used Cellebrite's technology to unlock his phone without consent and subsequently installed the NoviSpy spyware.
NoviSpy, which Amnesty researchers identified for the first time, is capable of capturing sensitive personal data, including screenshots, location information, and audio recordings through remote microphone activation.
The spyware consists of two components - NoviSpyAdmin and NoviSpyAccess - that exploit Android's accessibility services to collect data stealthily.
The investigation found evidence linking the spyware operations directly to Serbia's Security Information Agency (BIA).
Technical analysis revealed that NoviSpy samples communicated with servers hosted in Serbia and connected to IP addresses associated with BIA. Configuration data embedded in the spyware was also traced to a specific BIA employee.
In addition to Milanov, other targets included youth activist Nikola Ristić, environmental activist Ivan Milosavljević, and a member of Krokodil, a Belgrade-based organization promoting dialogue in the Western Balkans. The surveillance operations typically occurred during police interviews, where phones were temporarily confiscated and infected.
While conducting research, the Security Lab also uncovered forensic evidence leading to the identification of a critical zero-day vulnerability (CVE-2024-43047), an Android privilege escalation vulnerability used to escalate privileges on the device by an activist from Serbia.
The vulnerability (CVE-2024-43047) in Qualcomm's Digital Signal Processor driver, identified in collaboration with security researchers at Android maker Google, affects millions of Android devices worldwide.
The vulnerability was reported to Qualcomm in August 2024, and a patch fixing the security issue was released in the October 2024 Qualcomm Security Bulletin as CVE-2024-43047.
In response to these findings, Cellebrite stated they are investigating the claims and may terminate relationships with agencies found violating their end-user agreement.
The Serbian government has not commented on the findings, while Norway's Ministry of Foreign Affairs, which had donated some of the forensic tools through a development assistance program, expressed alarm at their potential misuse.
Check the report “A Digital Prison” [PDF] - Surveillance and the Suppression of Civil Society in Serbia, by Amnesty Security Lab.