Full Report
A Serbian journalist had his phone first unlocked by a Cellebrite tool and subsequently compromised by a previously undocumented spyware codenamed NoviSpy, according to a new report published by Amnesty International. "NoviSpy allows for capturing sensitive personal data from a target's phone after infection and provides the ability to turn on the phone's microphone or camera remotely," the
Analysis Summary
# Incident Report: Dual-Layer Mobile Device Compromise in Serbia
## Executive Summary
Serbian police forces allegedly compromised the mobile devices of several civil society activists and journalists through a two-stage attack. Initially, a Cellebrite forensic tool utilizing a zero-day vulnerability (CVE-2024-43047) was used to unlock a device during detention. Subsequently, the device was infected with a previously undocumented, highly invasive spyware named "NoviSpy," leading to extensive surveillance, data harvesting, and potential exfiltration.
## Incident Details
- Discovery Date: Early 2024 (Inferred from forensic analysis timeline)
- Incident Date: Early 2024 (During journalist's detention)
- Affected Organization: Civil Society Activists/Journalists (Specific targets named: Slaviša Milanov, Nikola Ristić, Ivan Milosavljević Buki, and an unnamed Krokodil activist)
- Sector: Media/Civil Society
- Geography: Serbia
## Timeline of Events
### Initial Access
- Date/Time: Early 2024 (During detention)
- Vector: Unlawful physical access and forensic tool exploitation.
- Details: Law enforcement gained physical possession of the target's phone. A Cellebrite Universal Forensic Extraction Device (UFED) was used, exploiting **CVE-2024-43047** (a zero-day in Qualcomm’s adsprpc driver) to gain elevated access after unlocking the device.
### Lateral Movement
- Details: Once high-access was achieved via the UFED exploit, the NoviSpy malware was introduced manually, likely via Android Debug Bridge (ADB) commands, to establish persistent surveillance capabilities.
### Data Exfiltration/Impact
- Details: The NoviSpy malware was configured to harvest sensitive data including call logs, SMS messages, contact lists, screenshots of all on-screen activity (including Signal/WhatsApp), confidential files, photos, and covertly activate the microphone and camera for real-time monitoring.
### Detection & Response
- Detection: The incident was uncovered through forensic review by Amnesty International.
- Response Actions: Amnesty International published a technical report detailing the findings and the combination of technologies used. Cellebrite announced it is investigating the misuse of its tools and may terminate relationships with non-compliant end-users. Qualcomm patched the underlying zero-day vulnerability in October 2024.
## Attack Methodology
- Initial Access: Unlawful exploitation of device security using Cellebrite UFED leveraging **CVE-2024-43047** (Qualcomm DSP Service vulnerability).
- Persistence: Established via two companion NoviSpy applications (*NoviSpyAdmin* and *NoviSpyAccess*).
- Privilege Escalation: Achieved via the zero-day exploit used by the Cellebrite UFED against the Qualcomm driver, giving the exploit heightened access necessary for subsequent malware deployment and operation.
- Defense Evasion: NoviSpyUtilizes Android Accessibility Services (*NoviSpyAccess*) to stealthily capture screenshots from encrypted apps (Signal, WhatsApp).
- Credential Access: Implied, as call logs, SMS, and contacts are harvested.
- Discovery: NoviSpy is capable of tracking target locations.
- Lateral Movement: Not explicitly detailed, but initial physical access was achieved via law enforcement custody.
- Collection: Screenshots, audio recordings, location data, call logs, SMS, contacts, files, and photos are systematically collected.
- Exfiltration: Data is harvested by the spyware components.
- Impact: Covert, prolonged surveillance and mass data extraction from target mobile devices.
## Impact Assessment
- Financial: Not specified, but costs associated with procurement of forensic tools and zero-day exploits likely substantial. Potential legal costs for targeted organizations/individuals.
- Data Breach: Highly sensitive personal data, communications (encrypted app screenshots), organizational data, and real-time surveillance logs.
- Operational: Significant disruption to the professional and personal operations of targeted journalists and activists, chilling effect on civil society.
- Reputational: Damage to the reputation of Serbian law enforcement and the suppliers of the surveillance technology (Cellebrite).
## Indicators of Compromise
- Network indicators: None explicitly published in defanged format.
- File indicators: Presence of applications:
- `com.serv.services` (`NoviSpyAdmin`)
- `com.accesibilityservice` (`NoviSpyAccess`)
- Behavioral indicators: Excessive use of microphone/camera, unusual file transfers, extensive requests for Accessibility Service permissions.
## Response Actions
- Containment Measures: Not detailed for the victims, but the underlying zero-day identified in the UFED process was reported and subsequently patched by Qualcomm.
- Eradication Steps: Widespread device remediation and forensic wiping considered necessary for targeted individuals.
- Recovery Actions: Affected entities advised to change credentials and conduct comprehensive security reviews. Civil society groups are lobbying the EU for increased regulation against commercial surveillance tool abuse.
## Lessons Learned
- Chipset drivers remain a critical vulnerability vector on Android platforms (Confirmed by Google Project Zero findings regarding Qualcomm DSP driver).
- The combination of physical access/unlocking technology (Cellebrite UFED) and covert persistent malware (NoviSpy) creates an extremely potent, hard-to-detect surveillance apparatus.
- Supply chain security for digital forensic tools is vital, as misuse by end-users can facilitate highly specific state-sponsored spying.
## Recommendations
- Immediate patching of all Android devices, especially those running susceptible Qualcomm platforms, to address vulnerabilities related to the **adsprpc** driver (CVE-2024-43047 mitigation).
- Enhance physical device security and access control protocols for high-value targets, particularly during interactions with law enforcement or detention facilities.
- Increased scrutiny and termination clauses for vendors selling highly invasive forensic tools to governments lacking robust oversight mechanisms.