Police and intelligence services Serbia use advanced mobile forensics products and previously unknown spyware to illegally circumvent journalists, environmental campaigners and civil rights activists, according to the report.
The report shows how mobile forensics from the Israeli firm Cellebrite used to unlock and extract data from people’s mobile devices that are infected with a new Android spyware system, NoviSpy.
Serbian authorities use “surveillance technology and digital surveillance systems as tools of broader state control and repression directed against civil society,” according to Dinushika Dissanayake of Amnesty Internationalwhich report
Dissanayake, Amnesty’s deputy regional director EuropeThe report shows how Cellbrite’s products, used by police and intelligence around the world, could pose a “tremendous risk” to rights activists “when used outside the strict powers of the law”.
Cellebrite’s tools for law institutions and public affairs they allow data to be extracted from a number of devices, including recent Android and iPhone mobile phones, and unlock them without access to the device’s passcode.
NoviSpy, less technically than high penetration spyware such as Pegasusit still allows the Serbian authorities to capture sensitive personal data from the target and allows the phone’s microphone or camera to be turned on remotely.
The report documents how the Serbian authorities used Cellebritos to carry out the NoviSpy spyware infections of journalists and activists’ mobile phones, including – at least on two occasions – during police interviews.
Serbian investigative journalist, Slaviša Milanov, was briefly detained by the police in February this year after taking a drug test. He turned off his Android phone when he surrendered and never asked for a passcode.
After his release, Slaviša noticed that his phone, left at the reception of the police station, appeared to have been tampered with and that his data had been stolen. Analysis by the Amnesty lab showed that the Cellebrite product had been unlocked and NoviSpy had been installed.
Forensic evidence was also found to show that Cellebrites products were used to unlock phones belonging to environmental activist Nikola Ristić, which was later also infected with NoviSpy.
Donncha Ó Cearbhaill, head of Amnesty’s Security Lab, said the evidence “proves that NoviSpy was installed while the Serbian authorities owned the Slaviša device, and that the infection depended on the use of advanced equipment such as Cellebrite UFED.”
Amnesty “NoviSpy is classified as spyware” [Serbia’s security information agency] BIA has great confidence,” said Cearbhaill. Other activists, including a member of Krokodil, which promotes reconciliation in the Western Balkans, were similarly targeted.
Amnesty said that Android and Google had removed NoviSpy before the report was published and that the spyware had been removed from affected Android devices. Google also said it sent “government-backed attack” alerts to possible targets.
Activists targeted by Pegasus spyware in Serbia were said to have been left vulnerable. “It’s an incredibly effective way of completely discouraging communication between people,” said the man, who asked to remain anonymous. “Anything you say can be used against you because it’s hindering you on personal and professional levels.”
Another effect, he said, “is that you either wish for self-criticism or you speak regardless – in which case you are prepared for the consequences that follow.”
NSO Group, which developed Pegasus, did not confirm the Serbian buyer but said it “takes seriously its responsibility to respect human rights and is very committed to avoid causing, contributing to, or having an impact directly linked to negative human rights.” It said it had reviewed all credible allegations of abuse of the group’s products.
Cellebrite did not provide any response or comment to the report prior to publication, Amnesty said. Serbian authorities similarly did not respond to requests for comment.
During the investigation process, the Israeli company Amnesty sent a brief response to Amnesty stating that it is not a surveillance company and does not provide cyber-surveillance technology or surveillance.
Cellebrite said its product was a “digital inquiry platform.” [that] equips law enforcement agencies with the necessary techniques to protect and preserve life, expedite justice and preserve confidential information.”
It added that its products are “licensed strictly for legitimate use, requiring a warrant or consent to assist law enforcement agencies with legally sanctioned investigations after a crime has been committed.”
Amnesty said that while this use of the products was intended, its investigation clearly showed that it was being misused “to deploy spyware and collect data widely from mobile phones outside of justified criminal investigations.”
He said Cellebrites and other digital forensics companies “must exercise due diligence to ensure that their products are not used in a way that contributes to human rights abuses.”