Full Report
The Serbian government exploited Qualcomm zero-days to unlock and infect Android devices with a new spyware named 'NoviSpy,' used to spy on activists, journalists, and protestors. [...]
Analysis Summary
# Threat Actor: Unknown Actor linked to NoviSpy Spyware
## Attribution & Identity
Attribution is not explicitly made to a nation-state or known hacking group within the provided context. The focus is on the novel malware, **NoviSpy**, and its reliance on critical vulnerabilities.
## Activity Summary
The primary activity described is the deployment of new Android spyware named **NoviSpy**. This activity leverages newly disclosed zero-day vulnerabilities affecting Qualcomm chips, suggesting a highly sophisticated operation capable of exploiting complex firmware issues.
## Tactics, Techniques & Procedures
- Exploitation of **Qualcomm zero-day bugs** (implicitly, leading to execution or privilege escalation on Android devices).
- Deployment of **NoviSpy** spyware.
- *No specific MITRE ATT&CK IDs were mentioned in the text.*
## Targeting
- Sectors: Not explicitly mentioned, but targeting is focused on **Android device users**.
- Geography: Not specified.
- Victims: **Android devices** running firmware vulnerable to the mentioned Qualcomm zero-days.
## Tools & Infrastructure
- Malware families used: **NoviSpy** (Android spyware).
- Infrastructure: No specific C2 domains, IPs, or infrastructure details were provided in this summary excerpt.
## Implications
The use of zero-day vulnerabilities in essential components like Qualcomm chipsets indicates an advanced threat actor with significant resources, likely focused on high-value mobile surveillance. This malware poses a severe risk due to its ability to bypass standard security measures by exploiting underlying hardware/firmware vulnerabilities.
## Mitigations
- Immediate patching and updating of Android devices/firmware once Qualcomm/OEM security advisories address the vulnerabilities.
- Comprehensive monitoring for signs of compromise on mobile endpoints.