The Serbian journalist’s phone was first unlocked by the Cellebrite tool and then hacked by a previously undocumented spyware codenamed NoviSpysays a new report published by Amnesty International.
“NoviSpy allows you to capture sensitive personal data from a target device’s phone after infection and provides the ability to remotely turn on the phone’s microphone or camera,” the company said in a statement. said in an 87-page technical report.
An analysis of forensic evidence indicates that spyware was installed when freelance journalist Slavisa Milanov’s phone was in the hands of Serbian police during his arrest in early 2024.
Some of the other targets included youth activist Nikola Ristic, environmental activist Ivan Milosavljevic Buka, and an unnamed activist from Krakadyl, a Belgrade-based organization that promotes dialogue and reconciliation in the Western Balkans.
The development marks one of the first known cases of two disparate, highly invasive technologies being used in combination to facilitate the tracking and theft of sensitive data.
Specifically, NoviSpy is designed to collect various types of information from jailbroken phones, including screenshots of all phone activity, target locations, audio and microphone recordings, files, and photos. It is installed using the Android Debug Bridge (approx) is a command line utility and appears as two applications −
- NoviSpyAdmin (com.serv.services) which requests broad permissions to collect call logs, SMS messages, contact lists and microphone audio recording
- NoviSpyAccess (com.accessibilityservice) that abuses Android accessibility services to stealthily collect screenshots from email accounts and messaging apps like Signal and WhatsApp, steal files, track your location and activate your camera
Who exactly developed NoviSpy is currently unknown, although Amnesty told 404 media that it could have been built by the Serbian authorities themselves or purchased from a third party. The spyware is said to have been in development since at least 2018.
“Together, these tools give the state an enormous opportunity to collect data both covertly, as in the case of spyware, and overtly, through the illegal and illegitimate use of Cellebrite’s cell phone mining technology,” Amnesty International noted.
In response to the findings, Israel-based Cellebrite said it was investigating claims of abuse of its tools and that it would take appropriate action, including terminating relationships with the agencies concerned if they were found to be in violation of the end-user agreement.
In tandem, the research also discovered a zero-day privilege escalation exploit used by Cellebrite’s universal forensics extraction tool (UFED) is a software/system that allows law enforcement unlock and access data stored on mobile phones – to gain increased access to the Serbian activist’s device.
Vulnerability, tracked as CVE-2024-43047 (CVSS Score: 7.8) is a post-release user error in Qualcomm’s Digital Signal Processor (DSP) (adsprpc) service that could lead to “memory corruption when saving HLOS memory cards.” It was fixed by the chipmaker in October 2024.
Google, which initiated a “broader code review process” after receiving kernel panic logs created by an in-the-wild (ITW) exploit earlier this year, said it had discovered a total of six vulnerabilities in the adsprpc driver, including a CVE – 2024-43047.
“Android chipset drivers are a promising target for attackers, and this ITW exploit is a significant real-world example of the negative consequences that the current security posture of third-party drivers creates for end users,” Seth Jenkins of Google Project Zero said.
“A system’s cybersecurity is only as strong as its weakest link, and chipset/GPU drivers represent one of the weakest links for privilege sharing on Android in 2024.”
It is being developed as the European arm of the Center for Democracy and Technology (CDT) together with other civil society organizations such as Access Now and Amnesty International. sent a letter Poland, which presides over the Council of the European Union, calling to give priority to actions against misuse of commercial tracking tools.
It also follows a recent Lookout report on how law enforcement agencies in China are using a legal interception tool codenamed EagleMsgSpy collect a wide range of information from mobile devices after gaining physical access to them.
Earlier this month, Citizen Lab continued revealed that the Russian government detained a man for donating money to Ukraine and installed spyware, a trojanized version of a call recording program, on his Android phone before releasing him.
