Full Report
The Serbian authorities have been using advanced mobile forensics products made by Israeli firm Cellebrite to extract data from mobile devices illegally
Analysis Summary
# Incident Report: State-Sponsored Surveillance of Serbian Activists via Bespoke Android Spyware
## Executive Summary
Serbian state agencies, including police and the BIA, have been accused by Amnesty International of surveilling journalists and civil society activists using a previously unknown, bespoke Android spyware named NoviSpy. The infection process leveraged Cellebrite mobile forensics tools to bypass device security, potentially installing the spyware during police interviews or detentions. The compromise allowed remote access to sensitive data, microphone, and camera controls on targeted devices.
## Incident Details
- **Discovery Date:** December 16, 2024 (Date of Amnesty report publication)
- **Incident Date:** Ongoing/Prior to December 2024
- **Affected Organization:** Targeted Serbian journalists and environmental/civil rights activists (e.g., Slaviša Milanov, Nikola Ristić).
- **Sector:** Civil Society, Media, Activism
- **Geography:** Serbia
## Timeline of Events
Since the exact dates of individual infections are not specified, the timeline reflects the discovery and reported methods:
### Initial Access
- **Date/Time:** Occurred during periods of detention or police interviews.
- **Vector:** Covert installation of NoviSpy leveraging Cellebrite mobile forensics tools.
- **Details:** In at least two cases, Cellebrite exploits were used to bypass standard Android security mechanisms to install NoviSpy without user consent. Zero-day vulnerabilities in Android devices using Qualcomm chipsets were also exploited.
### Lateral Movement
- The report focuses on targeted device compromise rather than extensive network lateral movement, suggesting direct device infection was the primary goal.
### Data Exfiltration/Impact
- **Details:** NoviSpy captured sensitive personal data. The spyware provided surveillance capabilities, including remote activation of the device’s microphone or camera. Cellebrite tools were used *after* infection to extract data from the unlocked device.
### Detection & Response
- **How it was discovered:** Amnesty International's Security Lab conducted forensic analysis on targeted devices.
- **Response actions taken:** Amnesty shared findings with the Serbian government prior to publication (no response received). Cellebrite stated it was investigating and willing to impose sanctions, potentially terminating its relationship with relevant agencies.
## Attack Methodology
- **Initial Access:** Covert installation of NoviSpy enabled by Cellebrite tools unlocking devices or exploiting zero-day vulnerabilities (Qualcomm chipsets).
- **Persistence:** Implied by the function of the spyware (NoviSpy remains active to monitor the device).
- **Privilege Escalation:** Exploitation of a zero-day vulnerability in Android devices using Qualcomm chipsets to gain privileged access.
- **Defense Evasion:** Covert installation during official police interactions. NoviSpy is described as less technologically advanced than Pegasus but still extensive.
- **Credential Access:** Not explicitly detailed, but data capture capabilities imply potential access to stored credentials.
- **Discovery:** Use of Cellebrite tools upon device access to survey existing data.
- **Lateral Movement:** Not the primary focus of the report, which centers on host compromise.
- **Collection:** Capturing sensitive personal data; monitoring via remote microphone/camera activation.
- **Exfiltration:** Data extraction facilitated by Cellebrite tools once the device was compromised and unlocked.
- **Impact:** Extensive surveillance and suppression of civil society.
## Impact Assessment
- **Financial:** Not disclosed/Not applicable to the targets specifically.
- **Data Breach:** Sensitive personal data, private communications, and potentially compromising audio/visual recordings.
- **Operational:** Severe disruption to the work and safety of targeted journalists and activists; chilling effect on civil society.
- **Reputational:** Severe reputational damage to the Serbian government agencies involved and potential damage to Cellebrite's reputation due to alleged misuse.
## Indicators of Compromise
*Note: Specific IoCs were likely removed or defanged in the original findings shared by Amnesty, but the methodology points to the following:*
- **Network indicators:** C2 communication associated with the unknown NoviSpy payload (defanged).
- **File indicators:** Presence of the NoviSpy Android package.
- **Behavioral indicators:** Remote activation of camera/microphone, unexplained battery drain or unauthorized data transfer.
## Response Actions
- **Containment measures:** Amnesty's reporting serves as a public exposure, which *should* lead to the isolation and forensic imaging of the allegedly compromised devices. (No explicit organizational containment actions are documented).
- **Eradication steps:** Removal of the NoviSpy payload and related artifacts from affected devices.
- **Recovery actions:** Security patch implementation (Qualcomm vulnerability fixed in October 2024 bulletin). Review and hardening of device security protocols, especially during police interactions.
## Lessons Learned
- State actors are employing bespoke spyware (NoviSpy) in conjunction with commercial forensic tools (Cellebrite) to enhance targeting efficiency against vulnerable groups.
- Mobile forensic tools intended for lawful data extraction can be weaponized or used to facilitate the surreptitious installation of surveillance software during official processes (e.g., police interviews).
- A zero-day vulnerability affecting widely used chipsets (Qualcomm) provided a significant window of opportunity for state-level compromise.
## Recommendations
- **Device Hardening:** Individuals in high-risk professions (journalists, activists) should employ robust mobile security practices, including disabling biometrics when necessary, using strong passcodes, and avoiding device usage during interactions with state authorities if possible.
- **Patch Management:** Rapid implementation of security updates, especially for critical chipset vulnerabilities (Qualcomm updates).
- **Supply Chain Due Diligence:** Increased scrutiny of vendors like Cellebrite regarding end-user agreements and auditing customer compliance to prevent the misuse of powerful digital forensic technology for surveillance purposes.