Cellebrite mobile forensic products can pose an enormous risk to those advocating for human rights

Journalist phone was secretly unlocked by police and infected with spyware

‘Serbian authorities have deployed surveillance technology and digital repression tactics as instruments of wider state control’ - Dinushika Dissanayake

‘We are all in the form of a digital prison, a digital gulag. We have an illusion of freedom, but in reality, we have no freedom at all’ - *Goran, activist

Serbian police and intelligence authorities are using advanced phone spyware alongside mobile phone forensic products to unlawfully target journalists, environmental activists and other individuals in a covert surveillance campaign, a new Amnesty International report has revealed. 

“A Digital Prison”: Surveillance and the Suppression of Civil Society in Serbia,” reveals how mobile forensic products made by Israeli company Cellebrite are being used to extract data from mobile devices belonging to journalists and activists. It also reveals how the Serbian police and the Security Information Agency (Bezbedonosno-informativna Agencija - BIA) have used a bespoke Android spyware system, NoviSpy, to covertly infect individuals’ devices during periods of detention or police interviews. 

Dinushika Dissanayake, Amnesty International’s Deputy Regional Director for Europe, said:

“Our investigation reveals how Serbian authorities have deployed surveillance technology and digital repression tactics as instruments of wider state control and repression directed against civil society.

“It also highlights how Cellebrite mobile forensic products – used widely by police and intelligence services worldwide – can pose an enormous risk to those advocating for human rights, the environment and freedom of speech, when used outside of strict legal control and oversight.” 

How Cellebrite and NoviSpy are used to target devices 

Cellebrite, a firm founded and headquartered in Israel but with offices globally, develops the Cellebrite UFED suite of products for law enforcement agencies and government entities. It enables the extraction of data from a wide range of mobile devices including some of the most recent Android devices and iPhone models, even without access to the device passcode.   

While less technically advanced than highly-invasive commercial spyware like Pegasus, NoviSpy – a previously unknown Android spyware – still provides Serbian authorities with extensive surveillance capabilities once installed on a target’s device. 

NoviSpy can capture sensitive personal data from a target phone and provide capabilities to turn on a phone’s microphone or camera remotely, while Cellebrite forensic tools are used to both unlock the phone prior to spyware infection and allow the extraction of the data on a device. 

Amnesty uncovered forensic evidence showing how Serbian authorities used Cellebrite products to enable NoviSpy spyware infections of activists’ phones. In at least two cases, Cellebrite UFED exploits (software that takes advantage of a bug or vulnerability) were used to bypass Android device security mechanisms, allowing the authorities to covertly install the NoviSpy spyware during police interviews. 

Amnesty also identified how Serbian authorities used Cellebrite to exploit a zero-day vulnerability (a software flaw which is not known to the original software developer and for which a software fix is not available) in Android devices to gain privileged access to an environmental activist’s phone. The vulnerability, identified in collaboration with security researchers at Google Project Zero and Threat Analysis Group, affected millions of Android devices worldwide that use the popular Qualcomm chipsets. An update fixing the security issue was released in the October 2024 Qualcomm Security Bulletin. 

Threats to journalists and activists 

In February 2024, Serbian independent investigative journalist Slaviša Milanov was arrested and detained by police under the pretext of performing a test for driving under the influence of alcohol. While in detention, Slaviša was questioned by plain-clothes officers about his journalism work. Slaviša’s Android phone was turned off when he surrendered it to police and at no point was he asked for nor did he provide the passcode. 

After his release, Slaviša noticed that his phone, which he had left at the police station reception during his interrogation, appeared to have been tampered with and his phone data was turned off.  

He requested Amnesty’s Security Lab to conduct a forensic analysis of his phone - a Xiaomi Redmi Note 10S. The analysis revealed that Cellebrite’s UFED product was used to secretly unlock Slaviša’s phone during his detention. 

Additional forensic evidence showed that NoviSpy was then used by Serbian authorities to infect Slaviša’s phone. A second case in the report, involving an environmental activist, Nikola Ristić, found similar forensic evidence of Cellebrite products used to unlock a device to enable subsequent NoviSpy infection. 

Activists infected with NoviSpy

This tactic of installing spyware covertly on people’s devices during detention or interviews appears to have been widely used by the authorities. 

In another case, an activist from Krokodil, an organisation promoting dialogue and reconciliation in the Western Balkans, had their phone, a Samsung Galaxy S24+, infected with spyware during an interview with BIA officials in October 2024.  

The activist was invited to BIA’s office in Belgrade to provide information about an attack on their offices by Russian speaking people in opposition to Krokodil’s public condemnation of Russia’s invasion of Ukraine.  

After the interview, the activist suspected that their phone had been tampered with. At their request, Amnesty carried out a forensic investigation which found that NoviSpy had been installed on the device during the BIA interview. Amnesty was also able to recover and decrypt surveillance data captured by NoviSpy while the activist was using their phone, which included screenshots of email accounts, Signal and WhatsApp messages and social media activity. 

Amnesty reported the NoviSpy spyware campaign to security researchers at Android and Google before publication, who took action to remove the spyware from affected Android devices. Google has also sent out a round of “Government-backed attack” alerts to individuals they identified as possible targets of this campaign.   

Cases of Serbian activists left traumatised by targeting

Branko*, an activist who was targeted with Pegasus spyware, said:

“This is an incredibly effective way to completely discourage communication between people. Anything that you say could be used against you, which is paralysing at both personal and professional levels.”

Goran*, an activist also targeted with Pegasus spyware, said:

“We are all in the form of a digital prison, a digital gulag. We have an illusion of freedom, but in reality, we have no freedom at all. This has two effects: you either opt for self-censorship, which profoundly affects your ability to do work, or you choose to speak up regardless, in which case, you have to be ready to face the consequences.”

Response to the findings

In a response to these findings, NSO Group, which developed Pegasus, could not confirm whether Serbia was its customer but stated that the Group “takes seriously its responsibility to respect human rights, and is strongly committed to avoiding causing, contributing to, or being directly linked to negative human rights impacts, and thoroughly review all credible allegations of misuse of NSO Group products.” 

Prior to publication, Amnesty shared this report’s findings with Cellebrite, but the company did not provide any response or comment. In response to queries sent early during the research process, as further detailed in the full report, Cellebrite did send a short response stating that it is not a surveillance company and does not provide cyber surveillance technology or spyware.  

It said its product is a “digital investigative platform [that] equips law enforcement agencies with technology needed to protect and save lives, accelerate justice and preserve data privacy.” 

It added that its products “are licensed strictly for lawful use, require a warrant or consent to help law enforcement agencies with legally sanctioned investigations after a crime has taken place.” 

While this may be the intended use, Amnesty’s research demonstrates how Cellebrite’s products can be misused to enable spyware deployment and the broad collection data from mobile phones outside of justified criminal investigations, posing grave risks to human rights.  

Amnesty has shared the findings of this research with the Serbian government ahead of the publication but has not received a response.  

Serbian authorities must stop using highly invasive spyware and provide effective remedy to victims of unlawful targeted surveillance and hold those responsible for the violations to account. Cellebrite and other digital forensic companies also must conduct adequate due diligence to ensure that their products are not used in a way which contributes to human rights abuses. 

Over the past years, state repression and a hostile environment for free speech advocates in Serbia has escalated with each wave of anti-government protests. The authorities have engaged in sustained smear campaigns against NGOs, media and journalists and have also subjected those involved in peaceful protest to arrests and judicial harassment. 

*Names changed to protect identity