Researchers at Amnesty International have uncovered an Android zero-day exploit being used to silently deploy custom surveillance spyware targeting journalists in Serbia. The investigation has linked the technology to Israeli forensics vendor Cellebrite.

In a technical report published Monday, the human rights group detailed how Serbia’s Security Information Agency (BIA) and police used Cellebrite’s forensic extraction products and a newly identified spyware dubbed ‘NoviSpy’ to infect devices of journalists and activists.. 

In one case, a journalist’s phone was allegedly hacked during a police traffic stop, with Cellebrite technology enabling the infection.

“The ability to download, in effect, an individual’s entire digital life using Cellebrite UFED and similar mobile forensic tools, poses enormous human rights risks, if such tools are not subject to strict control and oversight,” Amnesty International said, warning that the legal controls in Serbia on the use of such tools are insufficient.  

The report sheds light on the case of journalist Slaviša Milanov, whose Android-powered Xiaomi Redmi Note 10S device was hacked following a police encounter in Serbia. Forensic analysis revealed the use of a zero-day Android exploit to bypass encryption safeguards and unlock the device, paving the way for the installation of NoviSpy. 

The group said the privilege escalation zero-day, subsequently patched in the Qualcomm October security update, affected Android devices using popular Qualcomm chipsets and impacted millions of Android devices worldwide.  

In another case, Amnesty International documented an Android device belonging to an environment activist registering a series of missed calls consisting of invalid, seemingly random, numbers not valid in Serbia. “After these calls, [the activist said]  that the battery on his device drained quickly.”

The researchers inspected the device and found no evidence of tampering but warned that there’s a significant “knowledge gap” around zero-click attacks targeting Android devices.

“[We believe] these artifacts are consistent with what wuld be expected from a zero-click attack targeting Android calling features such as Voice-over-Wifi or Voice-over-LTE (VoLTE) functionality used in Android devices for Rich Communication Suite (RCS) calling,” the repost said. “Both features were enabled on this phone providing a potential remote attack surface.”

“Similar missed call traces and artifacts were observed in 2018 and 2019 when Android users were targeted by NSO Group customers using a zero-click vulnerability in WhatsApp,” the group added.

“While [we] cannot determine if these missed calls from invalid numbers are indeed traces of a zero-click infection attempt, this incident highlights the need for activists and security researchers to consistently monitor and collect evidence of possible attacks for analysis.”

Amnesty International noted Cellebrite’s claim that it has strict policies to prevent misuse of their product but warned that this discovery “provides clear evidence of a journalist’s phone being targeted without any form of due process.” 

More worrisome, Amnesty International found traces of the previously unknown NoviSpy spyware and enables the capturing of sensitive personal data from a target’s phone after infection and provides the ability to turn on the phone’s microphone or camera remotely. 

“Forensic evidence indicates that the spyware was installed while the Serbian police were in possession of Slaviša’s device, and the infection was dependent on the use of Cellebrite to unlock the device. Two forms of highly invasive technologies were used in combination to target the device of an independent journalist, leaving almost his entire digital life open to the Serbian authorities,” the human rights group said.

The Amnesty International report documented the Serbian authorities deploying “at least three different forms of spyware” as well as what it calls “persistent misuse of Cellebrite’s highly sophisticated digital forensics technology.”

“Amnesty International believes that this report describes the first forensically documented spyware infections enabled by the use of Cellebrite mobile forensic technology.”

The human rights group said it shared its findings with Cellebrite and got the following response:

“Our digital investigative software solutions do not install malware nor do they perform real-time surveillance consistent with spyware or any other type of offensive cyber activity.  We appreciate Amnesty International highlighting the alleged misuse of our technology. We take all allegations seriously of a customer’s potential misuse of our technology in ways that would run counter to both explicit and implied conditions outlined in our end-user agreement.

“We are investigating the claims made in this report. Should they be validated, we are prepared to impose appropriate sanctions, including termination of Cellebrite’s relationship with any relevant agencies.”

Related: Signal Says Cellebrite Mobile Device Analysis Products Can Be Hacked

Related: Hacker Leaks Tools Stolen From Cellebrite

Related: Mobile Forensics Firm Cellebrite Hacked

Related:Bitdefender Teams With Cellebrite on Mobile Forensic Solutions