Cellebrite Unlocked This Journalist’s Phone. Cops Then Infected it With Malware


Cellebrite Unlocked This Journalist’s Phone. Cops Then Infected it With Malware

Authorities in Serbia have repeatedly used Cellebrite tools to unlock mobile phones so they could then infect them with potent malware, including the phones of activists and a journalist, according to a new report from human rights organization Amnesty International.

The report is significant because it shows that although Cellebrite devices are typically designed to unlock or extract data from phones that authorities have physical access to, they can also be used to open the door for installing active surveillance technology. In these cases, the devices were infected with malware and then returned to the targets. Amnesty also says it, along with researchers at Google, discovered a vulnerability in a wide spread of Android phones which Cellebrite was exploiting. Qualcomm, the impacted chip manufacturer, has since fixed that vulnerability. And Amnesty says Google has remotely wiped the spyware from other infected devices.

“I am concerned by the way police behave during the incident, especially the way how they took/extracted the data from my mobilephone without using legal procedures. The fact that they extracted 1.6 GB data from my mobilephone, including personal, family and business information as well as information about our associates and people serving as a ‘source of information’ for journalist research, is unacceptable,” Slaviša Milanov, deputy editor and journalist of Serbian outlet FAR and whose phone was targeted in such a way, told 404 Media. Milanov covers, among other things, corruption. 

Cellebrite is an Israeli company that sells its mobile forensics technology to law enforcement and private companies all over the world. One of its main products is UFED, which can come as a tablet-sized device or as software for a PC, and which can grant users access to data stored on mobile phones. Cellebrite’s tools are often capable of bypassing or brute forcing the passcode on phones, meaning law enforcement can access data on them without cooperation from the phone’s owner.

Amnesty says its report is based on online interviews and two field trips to Serbia in September and November in which the organization interviewed 28 civil society members across the country; forensic analysis of phones some of those people suspected had been infected with spyware or unlocked with data extraction tools; and a review of documents related to the transfer of Cellebrite’s technology to authorities in Serbia.

The investigation started in 2021, when Amnesty says it received multiple reports from activists and a journalist in Serbia that they noticed suspicious activity on their mobile phones after interviews with Serbian authorities. In at least two cases, the people went to the police station or met with authorities to report being a victim of a crime. 

Amnesty says it performed forensic analysis of many devices and found a “new, previously undisclosed Android spyware system,” which Amnesty dubs NoviSpy. Donncha Ó Cearbhaill, who heads Amnesty’s Security Lab, told 404 Media that Amnesty does not know what Serbian authorities call the spyware, so named it “Novi” which is “new” in Serbian.

Cellebrite Unlocked This Journalist’s Phone. Cops Then Infected it With Malware
A screenshot of the Amnesty International report.

Amnesty says Serbian authorities have either developed or acquired Novispy. Police install NoviSpy onto phones while arresting, detaining, or interviewing civil society members, Amnesty says. In multiple cases, Amnesty says these arrests or detentions appear to have been orchestrated specifically to infect a device.

In Milanov’s case, he told 404 Media he was driving with his colleague, Petar Videnov, the editor-in-chief of FAR, in February to Pirot, a city in southeastern Serbia. At around 10:50am, traffic police stopped the pair and demanded their identity cards. The officers were talking to someone on the phone at the same time, Milanov said. The officers told Milanov he would need to “go with them for testing for psychoactive substances,” Milanov recalled.

At the police station, authorities asked Milanov to turn off his phone, a Xiaomi Redmi Note 10S, and give up any other personal belongings. As well as his phone, Milanov handed over his wallet, keys, and some tobacco. Milanov did not provide police with the passcode for his phone, Amnesty says. Milanov says he was tested for alcohol and drugs, and both tests came back negative. 

More than an hour after the initial stop, Milanov said he asked one of the officers “What is happening, are we finished, since I have […] tasks to do in Pirot?” The officer said they were waiting for the “chief,” and went out of the room to make some phone calls. “At one point I hear him saying: ‘he is negative and I can’t hold him any more’,” Milanov recalled. Another two officers in plain clothes then questioned Milanov in another building about his journalistic work and FAR’s financing, Amnesty’s report says. Eventually authorities returned Milanov’s belongings and he was released. Milanov noticed some suspicious things on his phone, such as the mobile data and wi-fi being turned off, and some applications using excessive battery power, Milanov told 404 Media. He said he then used Stay Free, an app that tracks a phone’s usage, which showed many applications were active while the device had been in the hands of the police.

💡
Do you know anything else about Cellebrite? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +44 20 8133 5190. Otherwise, send me an email at joseph@404media.co.

Unbeknownst to Milanov at the time, authorities had used a Cellebrite tool to unlock Milanov’s phone, according to Amnesty’s forensic analysis. That analysis found a Cellebrite binary called “falcon” on the device. “Amnesty International believes that the Cellebrite UFED system enabled the Serbian authorities to brute force, recover or bypass the phone lock code and install spyware on the device. The subsequent traces of the Cellebrite falcon are indicative of a Cellebrite UFED extraction being carried out after the initial UFED unlock, and installation of the NoviSpy spyware,” the report says. Amnesty says it found other instances of Cellebrite being used to unlock phones before NoviSpy being installed on them.

NoviSpy comes in the form of two apps that authorities install onto a target, called “com.serv.services” and “com.accesibilityservice.” The first can collect call logs, phone contact lists, text messages, and record audio through the device’s microphone. The second can covertly take screenshots on the phone, Amnesty says. 

Cellebrite Unlocked This Journalist’s Phone. Cops Then Infected it With Malware
A screenshot of the Amnesty International report.

In one case, Amnesty found a Samsung Galaxy S24+ researchers were examining was still infected, and Amnesty says it was able to recover surveillance logs and screenshots stored on the device. NoviSpy was set up to send stolen data to a server hosted at the IP address 195.178.51.251, the report adds. This IP address is in the narrow IP range Citizen Lab previously found hosting a FinFisher spyware system in 2014. A public server hosted on that same IP had the computer name “DPRODAN-PC,” Amnesty writes. 

Ó Cearbhaill pointed to an email from the 2015 breach of spyware vendor Hacking Team sent by someone in Serbia’s state-owned telecom discussing a spyware demo using the same name as that NoviSpy linked PC. The configuration file for NoviSpy also includes a phone number associated with a person with that same name, Amnesty says.

Those screenshots included their Signal and WhatsApp messages, according to the report. If a device, one of the “ends” in end-to-end encryption, is infected with malware, messages that would otherwise be protected from interception may become retrievable.

Cellebrite Unlocked This Journalist’s Phone. Cops Then Infected it With Malware
A screenshot of the Amnesty International report.

Once Amnesty reported NoviSpy to Google, Google was able to remotely remove active NoviSpy infections from other Android devices, the report says. A Google spokesperson confirmed the company collaborated with Amnesty. Ó Cearbhaill said “I haven’t got a final number from Google” regarding the number of removed or detected infections, but “we believe these attacks are quite extensive.”

As an aside, Amnesty discovered an Android vulnerability which affected devices using Qualcomm chipsets, impacting millions of devices around the world. Ó Cearbhaill said Amnesty first found suspicious kernel log lines generated from Cellebrite’s falcon’s binary. “The exploit failed a few times so we were able to see logs from multiple exploitation attempts,” he said. Amnesty suspected an Android zero-day was used, so they reported it to Google, which later found multiple zero-day vulnerabilities. Qualcomm pushed a fix in October 2024.

Serbia is a potential customer of a range of remotely deployed spyware systems too, including FinFisher, Predator, and NSO Group’s Pegasus.

In a response to Amnesty included in the report, Victor Cooper, Cellebrite’s senior director for corporate communications told the organization that “We perform several human rights due diligence steps before doing business with any country’s national, regional or local law enforcement and other defense or civil agencies countries and also have an independent ethics and integrity committee to guide our approach.” He added that “Cellebrite’s digital forensics solutions are licensed strictly for lawful use, require a warrant or consent to help law enforcement agencies with legally sanctioned investigations after a crime has taken place.”

Cooper provided the same response when asked for comment from 404 Media, and added that if what Amnesty reports is true as Cellebrite continues to investigate, then Serbia has broached its end-user license agreement. From that, Cellebrite will reassess if Serbia will remain one of the 100 countries the company does business with.

Then in another statement to 404 Media, Cooper said “We appreciate Amnesty International highlighting the alleged misuse of our technology. We take all allegations seriously of a customer’s potential misuse of our technology in ways that would run counter to both explicit and implied conditions outlined in our end-user agreement. We are investigating the claims made in this report. Should they be validated, we are prepared to impose appropriate sanctions, including termination of Cellebrite’s relationship with any relevant agencies.”

Scroll to Top