Earlier this year, a Serbian journalist and activist had his cellphone hacked by local authorities using a cellphone unlocking device made by forensic tools manufacturer Celebrite. According to a new Amnesty International report, authorities aim not only to unlock phones and access personal data, as Celebrite allows, but also to use spyware to enable further surveillance. It was also possible to install .
Amnesty International said in its report that it believed these were “the first forensically documented spyware infections” made possible through the use of the Cellebrite tool.
This crude but effective technique is one of many ways governments use spyware to spy on their citizens. Over the past decade, organizations such as Amnesty International and digital rights group Citizen Lab have documented dozens of cases in which governments used sophisticated spyware from Western surveillance technology vendors such as NSO Group, Intellexa, and defunct spyware pioneer Hacking Team. Case studies have been documented. , remotely hacking dissidents, journalists, and political opponents.
Now, advances in security have driven up the price of zero-day and remotely launched spyware, forcing authorities to resort to less sophisticated methods such as physically touching the phone being hacked. You may be forced to do so.
Although many incidents of spyware abuse have occurred around the world, there is no guarantee that it will or will not occur in the United States. In November, Forbes magazine reported that the Department of Homeland Security's Immigration and Customs Enforcement (ICE) spent $20 million acquiring phone hacking and surveillance tools, including Cellebrite. As reported by Forbes, given the mass deportation campaign promised by President-elect Donald Trump, experts are concerned that ICE will step up its spying efforts when a new administration takes over the White House. I am doing it.
A brief history of early spyware
History tends to repeat itself. Even if something new (or undocumented) appears for the first time, it may actually be a repetition of something that has already happened.
Twenty years ago, when government spyware already existed but was largely unknown to the antivirus industry tasked with defending against it, law enforcement could physically plant spyware on a target's computer. It was a way to access that communication. Authorities had to physically access the target's device, sometimes entering their home or office, and manually install the spyware.
Contact Us Want more information about government spyware and its manufacturers? From non-work devices, you can contact Lorenzo Franceschi-Bicchierai securely on Signal (+1 917 257 1382) or on Telegram and Keybase @lorenzofb or by email. Masu. You can also contact TechCrunch via SecureDrop.
For example, this is why early versions of Hacking Team's spyware from the mid-2000s were designed to boot from a USB key or CD. Earlier, in 2001, the FBI had broken into the office of gangster Nicodemus Scarfo and asked him to monitor what he typed on his keyboard in order to steal the keys that Scarfo used to encrypt his emails. installed spyware designed to
These techniques are returning to popularity, if not inevitable.
In early 2024, Citizen Lab allegedly installed spyware on the mobile phone of Russian national Kirill Parvets, an opposition activist who had lived in Ukraine since 2022, while the Russian intelligence agency FSB was in custody. The incident was documented. Russian authorities had forced Mr. Palabuts to give up his cellphone passcode before planting spyware that could access his personal data.
stop and search
In a recent incident in Serbia, Amnesty International discovered new spyware on the mobile phones of journalist Slaviša Milanov and youth activist Nikola Ristic.
In February 2024, local police stopped Milanov for what appeared to be a routine traffic check. Amnesty International said he was then taken to a police station, where officers took his Android phone, a Xiaomi Redmi Note 10S, during interrogation.
When Milanov got it back, he said he found something strange.
“I noticed that my mobile data and Wi-Fi are turned off. The mobile data application on my phone is always on. This means that someone has hacked into my phone. It was the first time I had any suspicions,” Milanov told TechCrunch in a recent interview.
Mr Milanov then used StayFree, a software that tracks how long someone used an app, and found that while the phone was switched off and apparently handed over to police, “many applications were active. He said that he realized that “I was doing something wrong. Require or force you to give up your cell phone passcode.
“We observed that between 11:54 a.m. and 1:08 p.m., the Settings and Security applications were primarily activated, along with File Manager, Google Play Store, Recorder, Gallery, and Contacts. . This coincides with the time when the phone started “not with me,'' Milanov said.
“During that time, they extracted 1.6 GB of data from my phone,” he said.
At that point, Ms Milanov was “uncomfortably surprised and very angry” and had a “bad feeling” that her privacy would be invaded. He contacted Amnesty International to have his phone forensically examined.
Amnesty International's Security Lab Director Donča O Keabair analyzed Milanov's phone and found that it was indeed unlocked using Cellebrite, which Amnesty International said was “new” in Serbian. It turned out that Android spyware called “NoviSpy'', which stands for “NoviSpy,'' was installed.
Spyware may be 'widely' used in civil society
Amnesty International's analysis of the NoviSpy spyware and series of operational security (OPSEC) failures implicates Serbian intelligence services as the developer of the spyware.
Amnesty International's report said the spyware was “used to systematically and covertly infect mobile devices during arrest, detention or, in some cases, intelligence interviews with members of civil society.” “In several cases, arrests and detentions appear to have been orchestrated in order to gain covert access to personal devices to enable data extraction and device infection,” Amnesty said.
Amnesty International believes that NoviSpy was likely developed in Serbia, given that it contains comments and strings in Serbian language in its code, and that it is programmed to communicate with servers in Serbia. are.
A mistake by the Serbian authorities allowed Amnesty researchers to link NoviSpy to the Serbian Security Intelligence Agency, known as Bezbedonosno-informaciona Agentija (BIA), and one of its servers.
During their analysis, Amnesty International researchers discovered that NoviSpy was designed to communicate with a specific IP address, 195.178.51.251.
In 2015, that very same IP address was linked to a Serbian BIA agent. At the time, Citizen Lab discovered that that particular IP address identified itself as “DPRODAN-PC” on Shodan, a search engine that lists servers and computers exposed to the Internet. As it turns out, someone with an email address that included “dprodan” contacted spyware maker Hacking Team about a demo in February 2012. According to leaked emails from Hacking Team, employees of the company staged a demonstration in Belgrade, the capital of Serbia. Around that date, Citizen Lab concluded that “dprodan” was also a Serbian BIA employee.
According to Amnesty International, the same IP address range (195.178.51.xxx) identified by Citizen Lab in 2015 is still associated with BIA, and BIA's public website was recently hosted within that IP range. Amnesty International announced that it was found that
Amnesty International said it conducted a forensic analysis of 20 members of Serbian civil society, most of them Android users, and found those infected with NoviSpy. Amnesty International said several clues within the spyware code suggest it is widely used by the BIA and Serbian police.
The BIA and the Serbian Ministry of Interior, which oversees the Serbian Police, did not respond to TechCrunch's request for comment.
NoviSpy's code contains what Amnesty researchers believe may be an increasing user ID, which in the case of one victim was 621. For another victim who became infected about a month later, that number rose to more than 640, suggesting authorities infected more. 20 or more people within that period. Amnesty International researchers said they found a 2018 version of NoviSpy on online malware scanning repository VirusTotal, suggesting the malware had been in development for several years.
As part of its investigation into spyware used in Serbia, Amnesty International also identified a zero-day exploit in Qualcomm chipsets that was used against the devices of activists in Serbia. This probably uses Cellebrite. Qualcomm announced in October that it had fixed the vulnerability after Amnesty International discovered it.
Asked for comment, Cellebrite spokesperson Victor Cooper said the company's tools cannot be used to install malware and that “a third party would have to do it.”
A Celebrite spokesperson declined to provide further details about the customer, but added that the company would “investigate further.” The company said if Serbia breaches the end-user agreement, it will “re-evaluate whether Serbia is one of the 100 countries we do business with.”