430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Report claims that Serbian authorities abused Cellebrite tool to install NoviSpy spyware

Researchers warn of previously undetected surveillance spyware, named NoviSpy, that was found infecting a Serbian journalist’s phone. In February 2024, Serbian journalist Slaviša Milanov was summoned to a police station after a routine traffic stop. After the police released him, Milanov noticed suspicious changes to his phone settings, such as disabled data and Wi-Fi. Then […]

NoviSpy spyware

Researchers warn of previously undetected surveillance spyware, named NoviSpy, that was found infecting a Serbian journalist’s phone.

In February 2024, Serbian journalist Slaviša Milanov was summoned to a police station after a routine traffic stop. After the police released him, Milanov noticed suspicious changes to his phone settings, such as disabled data and Wi-Fi. Then he requested help from Amnesty International’s Security Lab fearing to be the target of surveillance software like other journalists in Serbia.

Amnesty International made two disconcerting discoveries while investigating the case of Milanov’s phone. First, forensic traces showed that Serbian police used a Cellebrite tool to unlock and extract data from his device without informing him, obtaining legal consent, or disclosing the search’s purpose. Second, the analysis revealed a previously undetected spyware, named “NoviSpy,” which can extract personal data, activate the device’s microphone or camera, and was installed during police possession of his phone. The spyware’s deployment relied on Cellebrite’s unlocking process, combining two invasive technologies to compromise the journalist’s digital privacy comprehensively.

NoviSpy can extract sensitive data from compromised Android devices, including screenshots, location data, audio recordings, files, and photos. The malware is deployed via the Android Debug Bridge (adb) command-line utility.

NoviSpy spyware samples from devices analyzed by Amnesty were controlled by C2 servers in Serbia. The experts also discovered that one spyware configuration linked to an IP range associated with Serbia’s intelligence agency, the BIA, and to a specific BIA employee tied to past spyware procurement efforts. Evidence, including the spyware’s installation during BIA interviews, attributes these surveillance campaigns with high confidence to the BIA and Serbian government.

Serbian authorities also extensively and illegitimately used the Cellebrite extraction suite to download personal data from the phones of journalists and protest organizers.

“In at least two cases Amnesty International documented, the Cellebrite UFED product and associated exploits were used to covertly bypass phone security features, enabling Serbian authorities to infect the devices with NoviSpy spyware. These covert infections, which also occurred during interviews with police or BIA, were only possible because of the capabilities provided by advanced technology like Cellebrite UFED to bypass device encryption.” reads the report published by Amnesty. “While activists have long expressed concerns about spyware infections occurring during police interviews, Amnesty International believes that this report describes the first forensically documented spyware infections enabled by the use of Cellebrite mobile forensic technology.”

Amnesty International’s Security Lab also discovered that the extraction tool Cellebrite UFED exploited a Qualcomm Multiple Chipsets Use-After-Free zero-day vulnerability CVE-2024-43047, which Google patched in November. A joint effort of Amnesty International and Google allowed to identify the exploit from the analysis of forensic logs found on the phone of a protest organizer detained by Serbian police.

Other targets of the NoviSpy spyware campaign included the activist Nikola Ristić, environmental activist Ivan Milosavljević Buki, and an unnamed activist from Krokodil, a Belgrade-based NGO.

At this time, the origin of NoviSpy remains unclear. It may have been developed internally by Serbian authorities or purchased from a third party surveillance vendor. Development traces back to at least 2018.

“The report also highlights emerging surveillance tactics including the widespread use of invasive digital forensic tools to collect data from peaceful protestors not charged with any crime.” continues the report. “As security improvements make zero-click and other remote spyware attacks prohibitively expensive or unfeasible, authorities may increasingly turn to infecting devices with spyware through physical access to a device. Indeed, some States have proposed specific legislation to allow secret break-ins to homes in order to infect devices with targeted spyware.”

Serbia’s police labeled the Amnesty report as “absolutely incorrect.”

“Serbia’s police said in a statement that the Amnesty report is “absolutely incorrect,” but also added that “the forensic tool is used in the same way by other police forces around the world.”” reported the Associated Press.

“Serbia must commit to immediately stop using highly invasive spyware and carry out prompt, independent and impartial investigations into all documented and reported cased of unlawful digital surveillance.” concludes the report. “It also must take concrete steps to ensure that digital technologies are not misused to violate human rights, including by putting in place and robustly enforcing a legal framework that provides meaningful procedural safeguards, effective systems of control and oversight through judicial review, and effective mechanisms for redress for victims.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NoviSpy)