NoviSpy Spyware Found on Journalist’s Phone After Being Unlocked Using Cellebrite Tool

A Serbian journalist’s phone was unlocked using a Cellebrite tool and later infected with previously undocumented spyware named NoviSpy, according to a report by Amnesty International.

“NoviSpy enables the collection of sensitive personal data from a compromised device and allows remote activation of the phone’s microphone and camera,” stated Amnesty in an 87-page technical report.

Forensic evidence suggests the spyware was installed while the phone of independent journalist Slaviša Milanov was in Serbian police custody during his detention in early 2024. Other targets reportedly include youth activist Nikola Ristić, environmental advocate Ivan Milosavljević Buki, and an unnamed activist from Krokodil, a Belgrade-based organization promoting dialogue in the Western Balkans.

This case is among the first to reveal the combined use of two highly invasive technologies for surveillance and data theft. NoviSpy is designed to extract a wide range of information, including screenshots, location data, audio recordings, files, and photos. It is deployed via the Android Debug Bridge (adb) utility and operates through two apps:

• NoviSpyAdmin (com.serv.services): Requests extensive permissions to access call logs, SMS, contacts, and microphone recordings.
• NoviSpyAccess (com.accesibilityservice): Exploits Android’s accessibility services to collect screenshots, exfiltrate files, track locations, and activate the camera.

The origin of NoviSpy remains unclear, but Amnesty noted it may have been developed by Serbian authorities or sourced from a third party, with development ongoing since at least 2018.

Amnesty further highlighted Serbia’s Security Information Agency (BIA) has procured spyware tools like FinSpy, Predator, and Pegasus since 2014 to monitor journalists, activists, and civil society leaders.

Serbian police dismissed the report as “absolutely incorrect,” claiming their use of forensic tools aligns with global practices. Cellebrite, the Israeli company behind the unlocking tool, stated it is investigating the misuse claims and may terminate relationships with agencies violating its end-user agreement.

Additionally, researchers discovered a zero-day vulnerability in Cellebrite’s Universal Forensic Extraction Device (UFED), which was used to exploit a Serbian activist’s phone. The flaw, identified as CVE-2024-43047 (CVSS score: 7.8), is a user-after-free bug in Qualcomm’s Digital Signal Processor (DSP) Service that could lead to memory corruption. Qualcomm patched the vulnerability in October 2024.

Google, after reviewing kernel panic logs from the exploit, identified six vulnerabilities in the adsprpc driver, including CVE-2024-43047. Seth Jenkins of Google Project Zero noted that chipset and GPU drivers remain critical weak points in Android’s security architecture.

The report comes as civil society groups, including Amnesty International and Access Now, urge the European Union to prioritize action against the misuse of commercial surveillance tools.

Separately, recent findings revealed similar misuse of spyware globally, including Chinese authorities using EagleMsgSpy for data collection and Russian officials implanting trojanized apps on detainees’ phones.