Full Report
Amnesty said it found NoviSpy, an Android spyware linked to Serbian intelligence, on the phones of several members of Serbian civil society following police stops. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Incident Report: Targeted Spyware Deployment on Serbian Journalists and Activists
## Executive Summary
Serbian authorities targeted a journalist and an activist, gaining physical access to their mobile devices (Android phones) to install spyware, likely facilitated by forensic extraction tool vendor Cellebrite. The primary impact was the compromise of personal data and the establishment of persistent surveillance capabilities on the victims' devices. Response involved forensic analysis by Amnesty International, which documented the infections and the suspected use of Cellebrite tools combined with newly identified vulnerabilities, leading to public disclosure and engagement with the tool vendor.
## Incident Details
- Discovery Date: February 2024 (Milanov's initial suspicion) / Ongoing investigation finalized in a December 2024 report by Amnesty International.
- Incident Date: Occurred around February 2024 (Milanov's traffic stop) and continued for other victims.
- Affected Organization: Serbian Journalist (Slaviša Milanov) and Youth Activist (Nikola Ristić), potentially dozens of other civil society members.
- Sector: Media/Activism (Civil Society)
- Geography: Serbia
## Timeline of Events
### Initial Access
- Date/Time: February 2024 (for journalist Milanov).
- Vector: Physical seizure of the device during a stop/questioning by local police.
- Details: Slaviša Milanov was stopped during a purported traffic check, taken to a police station, and his Xiaomi Redmi Note 10S Android phone was confiscated during questioning. He was never asked for, nor did he surrender, his passcode.
### Lateral Movement
- Details: Not explicitly detailed as a network-based lateral movement, but the persistent surveillance mechanism (spyware) was established on the compromised devices, allowing comprehensive monitoring. Evidence suggests widespread use by the Serbian BIA and police network (based on user ID incrementing in the spyware code).
### Data Exfiltration/Impact
- Details: Installation of undisclosed spyware (Amnesty found a novel spyware and identified NoviSpy) to gain access to private data and enable continuous surveillance. The tools used (suspected Cellebrite combined with an in-the-wild zero-day) breached the device security.
### Detection & Response
- Detection: Journalist Milanov noticed discrepancies in his phone's network activity checks (mobile data/Wi-Fi reported as off, yet apps were active) using the app StayFree.
- Response Actions: Amnesty International performed forensic analysis on dozens of civil society members' devices, documenting the infections, linking the activity to Serbian authorities (BIA/Police), and attributing the initial compromise mechanism possibly to Cellebrite tools exploiting a Qualcomm zero-day.
## Attack Methodology
- Initial Access: **Physical Device Acquisition/Seizure** during law enforcement interaction, followed by manual exploitation (using forensic tools or custom implants).
- Persistence: Installation of spyware, potentially **NoviSpy** or novel malware.
- Privilege Escalation: Likely achieved via device-level exploits facilitated by forensic tools or the use of an Android **Qualcomm chipset zero-day exploit**.
- Defense Evasion: Spyware execution while the device appeared locked or offline, evading standard user checks.
- Credential Access: Not explicitly mentioned, but surveillance tools typically harvest credentials.
- Discovery: Reconnaissance by internal authorities prior to seizure (traffic stop).
- Lateral Movement: Implied internal targeting within Serbian civil society organizations based on user ID sequences found in the malware.
- Collection: Access to private data, including use patterns tracked via apps like StayFree.
- Exfiltration: Not detailed, but implied ongoing remote communication by the spyware.
- Impact: Establishment of ongoing, surreptitious digital surveillance on targeted individuals.
## Impact Assessment
- Financial: Not disclosed in the provided text, though ICE acquiring similar tech cost $20 million recently.
- Data Breach: Personal data and communications of civil society activists and journalists compromised. Type of data is indicative of full device access.
- Operational: Severe detrimental impact on the ability of targeted journalists and activists to operate freely and securely.
- Reputational: Significant damage to the perceived conduct of Serbian authorities.
## Indicators of Compromise
- Network Indicators (Defanged): IP range previously associated with BIA: `195.178.51.xxx` (as noted in 2015 findings which remain associated).
- File Indicators: **NoviSpy** malware identified; novel, undocumented spyware found.
- Behavioral Indicators: Unexpected application activity (e.g., data usage) while device settings (Wi-Fi/Mobile Data) indicated they were disabled. Incrementing User IDs in spyware code suggesting widespread deployment.
## Response Actions
- Containment Measures: Forensic analysis by Amnesty International to document the extent of infections on numerous local targets.
- Eradication Steps: Not explicitly detailed, but likely involved locating and removing the planted spyware upon discovery.
- Recovery Actions: Public disclosure via Amnesty International report to inform the victims and the broader security community, prompting tool vendor reassessment.
## Lessons Learned
- Physical access remains a highly effective, low-tech vector used by state actors, especially when combined with sophisticated forensic tools or zero-days.
- Forensic or extraction tools (like Cellebrite) can be misused by state actors beyond their intended purpose (forensic analysis) to deploy offensive surveillance payloads.
- Malware development cycles (e.g., NoviSpy dating back to 2018) can be long, indicating sustained internal development by government agencies.
## Recommendations
- Organizations and individuals in high-risk environments must be wary of physical device seizures by authorities, regardless of the stated reason (e.g., traffic stops).
- Device owners should periodically audit application usage patterns to catch subtle signs of compromise when device settings appear normal.
- Procurement agencies (including US ICE, which holds $20M in similar tech) must rigorously audit and enforce use restrictions on third-party forensic and surveillance tools.
- Secure coding practices by chipset manufacturers (like Qualcomm) need continuous improvement to close zero-day vulnerabilities quickly once discovered.