Amnesty International exposes Serbian police’s use of spyware on journalists, activists
Serbian police and intelligence authorities have combined phone-cracking technology with spyware to eavesdrop on activists and journalists there, Amnesty International revealed in a report Monday, in what the human rights group says could be a disturbing preview of a future era of digital surveillance.
Amnesty International’s 87-page document surveys the broader picture of digital spying on civil society in Serbia. Among its key findings is the revelation of a previously unknown unique spyware for Android, dubbed NoviSpy, which has been deployed by Serbian police and the nation’s Security Intelligence Agency, known as BIA.
Serbian use of phone-cracking tech provider Cellebrite — freshly in the news after the FBI reportedly used it this summer to access the phone of an alleged would-be assassin of President-Elect Donald Trump — in conjunction with NoviSpy appears to be a reaction to the growing difficulty of using industry-leading technologies like NSO Group’s Pegasus spyware, said Donncha Ó Cearbhaill, head of the security lab at Amnesty Tech.
“It’s pushing others to try and use tactics for physical access,” he told CyberScoop. “And this will grow and grow in the coming years, as it gets more difficult to attack devices remotely.
“It’s quite shocking to see … Cellebrite’s use as a key tool to unlock or break into the phones, and then from that enable authorities to install spyware that they would have been unable to install without the cell phone or without having the passcode,” he said.
It’s the second report this month by spyware-tracking researchers where physical access to a device enabled spyware infections, following disclosures that the Russian government detained a man and implanted spyware on his phone before releasing him.
One of the Amnesty cases that featured the Cellebrite-NoviSpy combination was one targeting independent investigative journalist Slaviša Milanov, whose work includes exposing the misuse of public funds to purchase luxury cars in Serbia’s poorest cities, and connections between local politicians and local construction companies financed by public money.
Police stopped Milanov in February as he traveled from Dimitrovgrad to Perot with a colleague, with an officer telling him he had to “go with them for testing for psychoactive substances,” he said in written comments to CyberScoop. Hours of detainment and questioning later, he went free and the police returned belongings to him — including his mobile phone.
He got suspicious about what they’d done with the phone after noticing his mobile data and wifi were turned off, and that a number of apps remained active when his phone was in police possession. Amnesty analyzed his phone and found traces of the Cellebrite-NoviSpy cocktail.
“It was a very unpleasant feeling,” Milanov said. “I was simultaneously confused, surprised, disappointed, and very angry.”
The cases Amnesty found raise questions about whether police could use artificial intelligence to map someone’s connections through phone data, Ó Cearbhaill said. Milanov said he thought that was precisely what authorities hoped to learn.
“From my point of view, the intention of the police was to obtain information about our work and data about our associates and citizens serving as sources of information,” Milanov said. “At the same time, I believe they wanted to exert pressure on me and our journalist team, which is the only independent media outlet in the geographic areas between [Serbian city] Niš and the Bulgarian Border. The incident was a demonstration of the power of an autocratic government.”
NoviSpy isn’t as powerful as Pegasus, Amnesty said, but it can capture personal data from a target phone and do things like activate a phone’s microphone or camera remotely. Amnesty “attributes the NoviSpy spyware to BIA with high confidence,” said Ó Cearbhaill. Pegasus and its ilk have gotten more expensive to use, he said, and more difficult as tech companies like Google and Apple mount defenses against infiltration.
The BIA issued a statement Monday calling the report “trivial sensationalism.”
“The Security and Information Agency operates exclusively in accordance with the laws of the Republic of Serbia, and therefore we are not even able to comment on the meaningless statements in their text, just as we do not otherwise comment on similar content,” the statement read.
How the BIA obtained the use of Cellebrite tech is another topic of the report. Amnesty found the Norwegian Ministry of Foreign Affairs donated it to Serbia, and further stated in its report that the agency “failed to conduct an adequate due diligence process to assess and mitigate for the potential risks of this technology to human rights and to provide safeguards against its abuse.”
The ministry told Amnesty that it finds it “alarming that digital forensic tools, purchased through a project funded by Norway, may have been used to target members of civil society in Serbia.” It said the United Nations Office for Project Services, which was responsible for the project’s activities, is expected to conduct an investigation into the alleged misuse.
Amnesty said that Cellebrite did not answer some of its questions about the findings of the report, but in part responded that “Cellebrite has strict controls ensuring that our technology is used appropriately in legally sanctioned investigations.”
The company issued a statement on Monday, claiming that it would be investigating the matter.
“Ethical, judicial and lawful use of our technology is paramount to our mission of accelerating justice and saving lives around the globe. Our digital investigative software solutions do not install malware, nor do they perform real-time surveillance consistent with spyware or any other type of offensive cyber activity,” the statement read.
“We appreciate Amnesty International highlighting the alleged misuse of our technology,” the statement continued. “We take all allegations seriously of a customer’s potential misuse of our technology in ways that would run counter to both explicit and implied conditions outlined in our License Agreement.”
