Serbian government cracked phones with Cellebrite to install spyware, report says

Serbian authorities used Cellebrite software to covertly unlock phones belonging to civilians and then infect them with spyware, digital privacy researchers said Monday.

Victims of the Cellebrite-facilitated spying reported that their phones were seized and apparently tampered with while they were being interviewed by Serbian authorities, according to a report by Amnesty International.

The apparent use of Cellebrite software to unlock and embed spyware in devices belonging to at least two civilians are the first known instances of authorities combining the invasive technologies to facilitate snooping, Amnesty said.

Cellebrite’s software is used by police worldwide to crack into locked phones, and it has helped the FBI extract data belonging to suspects in notorious cases, including a device belonging to the man accused of trying to assassinate Donald Trump in July.

The report details four cases where phones were infected with spyware while in the possession of Serbian authorities: Two instances involving Cellebrite, and two others using unspecified methods. 

Amnesty says Cellebrite is “systemically deployed” by Serbian authorities surveilling journalists, activists and other civilians. 

NoviSpy discovery

The Amnesty investigation also led to the discovery of a new kind of Serbia-produced spyware used to target Android devices, which the organization has named NoviSpy. The surveillance tool allows users to access data stored in phones and turn on a device’s microphone and camera remotely, according to the Amnesty report. Dozens, if not hundreds, of unique devices were targeted with NoviSpy spyware in recent years, the report said, citing technical evidence. 

NoviSpy samples pulled from infected devices and studied by Amnesty researchers showed they all communicated with servers hosted in Serbia.

One of the samples was set up to connect directly to an IP address range tied to a specific employee working for Serbia’s security forces, according to Amnesty. The employee was previously linked to the Serbian government’s attempt to buy spyware from the now-defunct Italian commercial surveillance firm Hacking Team years ago, Amnesty said.

Serbian authorities targeted journalists and activists with the surveillance technology, Amnesty said, including Slaviša Milanov, who reported his phone was acting strangely after police detained him following a February traffic stop.

Milanov left his phone with a police reception desk while he was questioned and upon being released noticed his data and WiFi settings were turned off. Aware that journalists in Serbia have been widely surveilled, Milanov brought his phone to Amnesty International’s Security Lab for analysis.

Digital forensic researchers there found traces of a Cellebrite product and the newly discovered spyware.

Milanov asserts that police never asked for the passcode to his Android device and did not tell him they were searching his phone.

“The [spyware] infection was dependent on the use of Cellebrite to unlock the device,” the report said. “Two forms of highly invasive technologies were used in combination to target the device of an independent journalist, leaving almost his entire digital life open to the Serbian authorities.”

Cellebrite has long claimed it has strict policies to prevent its powerful technology from being abused, but as Amnesty noted “this discovery provides clear evidence of a journalist’s phone being targeted without any form of due process.”

A spokesperson for the company emailed a statement saying that its technology gives law enforcement tools to protect and save lives. The software cannot be used without consent or a warrant, the statement said.

The company is investigating Amnesty’s allegations and if it finds they are valid it is “prepared to impose appropriate sanctions, including termination of Cellebrite’s relationship with any relevant agencies.” 

“We take all allegations seriously of a customer’s potential misuse of our technology in ways that would run counter to both explicit and implied conditions outlined in our end-user agreement,” the statement said.

Serbia has been rocked by significant anti-government protests since 2021, prompting a crackdown by authorities and increasing digital repression aimed at activists and journalists in particular.

Serbian authorities also used Cellebrite to take advantage of a zero-day vulnerability, or a flaw unknown to the software maker, to access an environmental activist’s phone, the report says. 

The vulnerability affects millions of Android devices equipped with Qualcomm chipsets, Amnesty said. In October, Qualcomm released an update fixing the problem. 

Some activists’ devices separately were targeted by powerful zero-click Pegasus spyware, Amnesty said.

The NSO Group, which manufactures Pegasus, could not confirm for Amnesty whether the Serbian government is a client. In August 2023, Pegasus was found on phones belonging to two unnamed victims on the eve of national elections.

A spokesperson for the NSO Group did not respond to a request for comment.

The report’s findings are drawn from interviews with 13 people directly targeted by spyware or mobile data extraction products, Amnesty said.