According to the report, Serbian police and intelligence services are illegally surveilling journalists, environmentalists, and civil rights activists using sophisticated mobile forensic products and previously unknown spyware.
The report shows how Israeli company Cellebrite's mobile forensics products are being used to unlock and extract data from personal mobile devices infected with the new Android spyware system NoviSpy.
The report's author, Amnesty International's Dinushka Dissanayake, said Serbian authorities are using “surveillance technologies and digital repression tactics as a means of widespread state control and repression of civil society.”
Dissanayake, Amnesty International's deputy regional director for Europe, said the report shows rights activists how Celebrite products, which are used by police and intelligence agencies around the world, can be used “outside strict legal controls”. “This shows that there is the potential to pose a significant risk,” he said.
Cellebrite's law enforcement and government tools allow you to extract data from a variety of devices, including modern Android and iPhone phones, and unlock them without accessing the device's passcode.
Although NoviSpy is not as technologically advanced as more intrusive spyware such as Pegasus, it still allows Serbian authorities to obtain sensitive personal data from targeted phones and remotely turn on a phone's microphone or camera. I want to be able to do this.
The report documents how Serbian authorities used Cellebrite products to infect the cellphones of journalists and activists with NoviSpy spyware on at least two occasions, including during police interrogations.
In February of this year, Serbian investigative journalist Slaviša Milanov was briefly detained by police on the pretext of a drunk driving test. When I handed over my Android phone, it was turned off and I was never asked for a passcode.
After Slavisha was released, she noticed that her cell phone left at the reception desk at the police station appeared to have been tampered with and the data had disappeared. Analysis by Amnesty International's laboratory revealed that the Cellebrite product was unlocked and had NoviSpy installed.
Forensic evidence was also discovered showing that Cellebrite products were used to unlock environmental activist Nikola Ristic's mobile phone, which was also subsequently infected with NoviSpy.
Amnesty International's Security Lab Director Donča O Keabair said the evidence shows that NoviSpy was installed while Serbian police were in possession of Slavica's devices, and that the infection relied on the use of sophisticated tools such as Cellebrite UFED. It proves what he did.”
Amnesty International states that NoviSpy spyware is caused by: [Serbia’s security information agency] The BIA has high confidence,” said Mr Ó Keabail. Other activists, including members of Krokodil, which promotes reconciliation in the western Balkans, were similarly targeted.
Amnesty International said it notified Android and Google of the existence of NoviSpy before publishing its report, and said the spyware had been removed from affected Android devices. Google also said it was sending warnings of “government-sponsored attacks” to potential targets.
Activists targeted by Pegasus spyware in Serbia say they have been deeply traumatized. “This is a very effective way to completely prevent communication between people,” said one person who requested anonymity. “Everything you say can be used against you, and it’s paralyzing on both a personal and professional level.”
Another said the outcome was “either choose self-censorship or speak out regardless. In that case, you must be ready to face the consequences.”
NSO Group, which developed Pegasus, did not confirm that Serbia was a customer, but said it “takes seriously its responsibility to respect human rights and does not intend to do anything that causes, contributes to, or directly contributes to negative human rights impacts.” “We are very committed to avoiding ties.” It said it had investigated all credible allegations of misuse of the group's products.
Amnesty International said Celebrite had not responded or commented on the report as it was sent to it before it was published. Serbian authorities similarly did not respond to requests for comment.
During the investigation, the Israeli company sent Amnesty International a short response stating that it is not a surveillance company and does not provide cyber surveillance technology or spyware.
Cellebrite said its product is a “digital investigative platform.” [that] We provide law enforcement with the technology they need to protect and save lives, accelerate justice, and protect data privacy. ”
Additionally, the company's products are “licensed strictly for lawful use and require a warrant or consent to assist in a legally authorized investigation by law enforcement following the occurrence of a crime.” ” he added.
Amnesty International said that while this may be the product's intended use, research has shown that these products can be misused, stating: “It allows us to collect a wide range of data from phones.”
The company said Cellebrite and other digital forensics companies “must conduct appropriate due diligence to ensure that their products are not used in ways that lead to human rights violations.”
