Police and intelligence services in Serbia are using advanced mobile forensics products and previously unknown spyware to illegally surveil journalists, environmental campaigners and civil rights activists, according to a report.
The report shows how mobile forensic products from the Israeli firm Cellebrite are used to unlock and extract data from individuals’ mobile devices, which are being infected with a new Android spyware system, NoviSpy.
Serbian authorities are using “surveillance technology and digital repression tactics as instruments of wider state control and repression directed against civil society”, according to Dinushika Dissanayake of Amnesty International, which authored the report.
Dissanayake, Amnesty’s deputy regional director for Europe, said the report showed how Cellebrite products, used by police and intelligence services worldwide, could pose “an enormous risk” to rights activists “when used outside strict legal control”.
Cellebrite’s tools for law enforcement agencies and government entities allow data to be extracted from an array of devices, including recent Android and iPhone mobile phones, and can unlock them without access to the device’s passcode.
NoviSpy, while less technically advanced than highly invasive spyware such as Pegasus, still lets Serbian authorities capture sensitive personal data from a target phone and allows a phone’s microphone or camera to be turned on remotely.
The report documents how Serbian authorities used Cellebrite products to enable NoviSpy spyware infections of journalists’ and activists’ mobile phones, including – on at least two occasions – during police interviews.
A Serbian investigative journalist, Slaviša Milanov, was briefly detained by police in February this year on the pretext of a drink-driving test. His Android phone was turned off when he surrendered it and he was never asked for the passcode.
After his release, Slaviša noticed that his phone, left at the police station reception, seemed to have been tampered with and its data was off. Analysis by Amnesty’s lab showed a Cellebrite product had unlocked it and NoviSpy had been installed.
Forensic evidence was also found to show Cellebrite products had been used to unlock a phone belonging to the environmental activist Nikola Ristić, which was subsequently also infected with NoviSpy.
Donncha Ó Cearbhaill, the head of Amnesty’s Security Lab, said the evidence “proves NoviSpy was installed while the Serbian police had possession of Slaviša’s device, and the infection was dependent on the use of an advanced tool like Cellebrite UFED”.
Amnesty “attributes the NoviSpy spyware to [Serbia’s security information agency] BIA with high confidence”, Ó Cearbhaill said. Other activists, including a member of Krokodil, which promotes western Balkan reconciliation, were similarly targeted.
Amnesty said it had informed Android and Google of NoviSpy before the report’s publication and the spyware had been removed from affected Android devices. Google had also sent “government-backed attack” alerts to possible targets, it said.
Activists targeted by Pegasus spyware in Serbia said they had been left traumatised. “This is an incredibly effective way to completely discourage communication between people,” said one, who asked to remain anonymous. “Anything you say could be used against you, which is paralysing at both personal and professional levels.”
Another said the result was “you either opt for self-censorship or you speak up regardless – in which case you have to be ready to face the consequences”.
NSO Group, which developed Pegasus, did not confirm Serbia was a customer but said it “takes seriously its responsibility to respect human rights and is strongly committed to avoiding causing, contributing to, or being directly linked to negative human rights impacts”. It said it reviewed all credible allegations of misuse of group products.
Cellebrite did not provide any response or comment to the report, which it was sent before publication, Amnesty said. Serbian authorities similarly did not respond to requests for comment.
During the research process, the Israeli company did send Amnesty a short response stating that it was not a surveillance company and did not provide cyber-surveillance technology or spyware.
Cellebrite said its product was a “digital investigative platform [that] equips law enforcement agencies with technology needed to protect and save lives, accelerate justice and preserve data privacy”.
It added that its products were “licensed strictly for lawful use, require a warrant or consent to help law enforcement agencies with legally sanctioned investigations after a crime has taken place”.
Amnesty said that while this may be the products’ intended use, its research clearly showed they could be misused “to enable spyware deployment and the broad collection data from mobile phones outside justified criminal investigations”.
It said Cellebrite and other digital forensic companies “must conduct adequate due diligence to ensure that their products are not used in a way which contributes to human rights abuses”.
