Jon Henley Europe correspondent 

Serbian authorities using spyware to illegally surveil activists, report finds

Advanced mobile forensics products being used to illegally extract data from mobile devices, Amnesty finds
  
  

USB device is attached to Cellebrite UFED TOUCH
Amnesty International’s report shows mobile forensic products from the Israeli firm Cellebrite are being used by police and intelligence services. Photograph: Issei Kato/Reuters

Police and intelligence services in Serbia are using advanced mobile forensics products and previously unknown spyware to illegally surveil journalists, environmental campaigners and civil rights activists, according to a report.

The report shows how mobile forensic products from the Israeli firm Cellebrite are used to unlock and extract data from individuals’ mobile devices, which are being infected with a new Android spyware system, NoviSpy.

Serbian authorities are using “surveillance technology and digital repression tactics as instruments of wider state control and repression directed against civil society”, according to Dinushika Dissanayake of Amnesty International, which authored the report.

Dissanayake, Amnesty’s deputy regional director for Europe, said the report showed how Cellebrite products, used by police and intelligence services worldwide, could pose “an enormous risk” to rights activists “when used outside strict legal control”.

Cellebrite’s tools for law enforcement agencies and government entities allow data to be extracted from an array of devices, including recent Android and iPhone mobile phones, and can unlock them without access to the device’s passcode.

NoviSpy, while less technically advanced than highly invasive spyware such as Pegasus, still lets Serbian authorities capture sensitive personal data from a target phone and allows a phone’s microphone or camera to be turned on remotely.

The report documents how Serbian authorities used Cellebrite products to enable NoviSpy spyware infections of journalists’ and activists’ mobile phones, including – on at least two occasions – during police interviews.

A Serbian investigative journalist, Slaviša Milanov, was briefly detained by police in February this year on the pretext of a drink-driving test. His Android phone was turned off when he surrendered it and he was never asked for the passcode.

After his release, Slaviša noticed that his phone, left at the police station reception, seemed to have been tampered with and its data was off. Analysis by Amnesty’s lab showed a Cellebrite product had unlocked it and NoviSpy had been installed.

Forensic evidence was also found to show Cellebrite products had been used to unlock a phone belonging to the environmental activist Nikola Ristić, which was subsequently also infected with NoviSpy.

Donncha Ó Cearbhaill, the head of Amnesty’s Security Lab, said the evidence “proves NoviSpy was installed while the Serbian police had possession of Slaviša’s device, and the infection was dependent on the use of an advanced tool like Cellebrite UFED”.

Amnesty “attributes the NoviSpy spyware to [Serbia’s security information agency] BIA with high confidence”, Ó Cearbhaill said. Other activists, including a member of Krokodil, which promotes western Balkan reconciliation, were similarly targeted.

Amnesty said it had informed Android and Google of NoviSpy before the report’s publication and the spyware had been removed from affected Android devices. Google had also sent “government-backed attack” alerts to possible targets, it said.

Activists targeted by Pegasus spyware in Serbia said they had been left traumatised. “This is an incredibly effective way to completely discourage communication between people,” said one, who asked to remain anonymous. “Anything you say could be used against you, which is paralysing at both personal and professional levels.”

Another said the result was “you either opt for self-censorship or you speak up regardless – in which case you have to be ready to face the consequences”. Serbian authorities did not respond to requests for comment.

NSO Group, which developed Pegasus, did not confirm Serbia was a customer but said it “takes seriously its responsibility to respect human rights and is strongly committed to avoiding causing, contributing to, or being directly linked to negative human rights impacts”. It said it reviewed all credible allegations of misuse of group products.

Cellebrite said in a statement after the report’s publication that “ethical, judicial and lawful use” of its technology was “paramount to our mission of accelerating justice and saving lives around the globe”, adding that its software did not install malware or perform real-time, spyware-type surveillance or other offensive cyber activity.

The company said it took seriously all allegations of potential misuse of its technology “in ways that would run counter to … conditions outlined in our license agreement” and “appreciates Amnesty highlighting the alleged misuse”.

It said it was investigating the claims and was prepared to take measures including terminating its relationship with relevant agencies. Cellebrite complied with all relevant sanctions and export controls and since 2020 had voluntarily ceased selling to customers in more than 60 countries, including some cited in the report, it noted.

During the research process, the Israeli company told Amnesty its products were “licensed strictly for lawful use, require a warrant or consent to help law enforcement agencies with legally sanctioned investigations after a crime has taken place ”.

Amnesty said that while this may be the products’ intended use, its research clearly showed they could be misused “to enable spyware deployment and the broad collection data from mobile phones outside justified criminal investigations”.

 

Leave a Comment

Required fields are marked *

*

*