A Serbian journalist’s phone was compromised when an unknown hacker used a Cellebrite device to unlock it, which then allowed the installation of previously undetected malware known as ?
According to NoviSpy’s 87-page technical report, the malware enables remote access to a target device’s phone, allowing it to capture sensitive private information after infection and granting the capability to activate the phone’s microphone or camera without physical proximity.
A comprehensive examination of the circumstances surrounding the alleged installation of malicious software on the phone of journalist Slaviša Milanov during his detention by Serbian authorities in January 2024, taking into account relevant forensic evidence and procedural factors that may have contributed to this occurrence.
Targets included renowned youth activist Nikola Ristić, environmental champion Ivan Milosavljević Buki, and a representative from Krokodil, a Belgrade-based organization dedicated to fostering dialogue and reconciliation in the Western Balkans.
The incident represents a pioneering instance where two highly intrusive technologies were combined, enabling surveillance and the unauthorized extraction of sensitive data.
NoviSpy, a sophisticated surveillance tool, is designed to extract diverse types of data from compromised mobile devices, including real-time screenshots of all activities, precise location tracking, audio and microphone recordings, file transfer, and image capture. It’s accomplished using the Android Debug Bridge (ADB) command-line tool, comprising two key functions:
-
The (com.serv.companies) app seeks comprehensive permission to collect user data, including name logs, SMS messages, contact lists, and audio recordings via the device’s microphone.
- Android’s vulnerabilities are exploited by a malware known as (com.accessibilityservice), which surreptitiously collects screenshots from email accounts and popular messaging apps such as Signal and WhatsApp, extracts sensitive data, tracks users’ locations, and activates the camera.
The developer of NoviSpy remains anonymous, with 404 Media suggesting it could be either an in-house creation by Serbian authorities or acquired from a third party. The growth of this adware has allegedly been underway since at least 2018.
“Collectively, these tools grant governments virtually unchecked authority to gather data discreetly, as in the case of malware, and openly, through the illicit exploitation of Cellebrite’s cell phone extraction capabilities,” Amnesty International noted.
In response to the allegations, Cellebrite, an Israeli firm, has launched an investigation into potential misuse of its technology and is considering taking appropriate action, including severing ties with any companies found to be violating its end-user agreement.
In a surprising revelation, an investigation uncovered a previously unknown privilege escalation exploit within Cellebrite’s standard forensic extraction tool (), which is designed for law enforcement agencies to extract data from cellphones, allowing unauthorized access to the Serbian activist’s device.
The vulnerability, tracked as CVE-2022-XXXX (CVSS rating: 7.8), is a user-after-free bug in Qualcomm’s Digital Sign Processor (DSP) Service (adsprpc) that could lead to corrupted memory and sustained access to HLOS memory maps. It was patched by the chipmaker in October 2024.
Google, after receiving kernel panic logs stemming from an in-the-wild exploit, initiated a comprehensive code evaluation process, which led to the discovery of six vulnerabilities in the adsprpc driver, including the notable CVE-2024-43047.
As a professional editor, I would improve the text in the following way:
“Chipset drivers for Android offer a tantalizing target for attackers, and this ITW exploit serves as a stark reminder of the devastating consequences that result from third-party vendor driver safety shortcomings, posing a significant threat to end-users.”
“A device’s cybersecurity is only as strong as its most vulnerable link, and the chipset/GPU driver is a critical weak point that underscores the need for enhanced privilege separation on Android devices in 2024.”
The CDT’s European arm, in partnership with various civil society organisations such as Entry Now and Amnesty International, has written to the Polish Presidency of the Council of the European Union, urging it to prioritise efforts to?
According to a recent report by Lookout, mainland Chinese law enforcement agencies have been employing a legal interception device, codenamed , to gather various types of data from mobile devices following physical access has been obtained.
In early January, the reputable digital watchdog Citizen Lab reported that Russian authorities arrested an individual for providing financial support to Ukraine and compromised his Android device by installing adware – specifically, a malware-infected version of a note-taking app – before releasing him from custody.
