Amnesty International exposes Serbian police’s use of spyware on journalists, activists

Serbian police and intelligence authorities have combined phone-cracking technology with spyware to eavesdrop on activists and journalists there, Amnesty International revealed in a report Monday, in what the human rights group says could be a disturbing preview of a future era of digital surveillance.

Amnesty International’s 87-page document surveys the broader picture of digital spying on civil society in Serbia. Among its key findings is the revelation of a previously unknown unique spyware for Android, dubbed NoviSpy, which has been deployed by Serbian police and the nation’s Security Intelligence Agency, known as BIA.

Serbian use of phone-cracking tech provider Cellebrite — freshly in the news after the FBI reportedly used it this summer to access the phone of an alleged would-be assassin of President-Elect Donald Trump — in conjunction with NoviSpy appears to be a reaction to the growing difficulty of using industry-leading technologies like NSO Group’s Pegasus spyware, said Donncha Ó Cearbhaill, head of the security lab at Amnesty Tech.

“It’s pushing others to try and use tactics for physical access,” he told CyberScoop. “And this will grow and grow in the coming years, as it gets more difficult to attack devices remotely.

“It’s quite shocking to see … Cellebrite’s use as a key tool to unlock or break into the phones, and then from that enable authorities to install spyware that they would have been unable to install without the cell phone or without having the passcode,” he said.

It’s the second report this month by spyware-tracking researchers where physical access to a device enabled spyware infections, following disclosures that the Russian government detained a man and implanted spyware on his phone before releasing him.

One of the Amnesty cases that featured the Cellebrite-NoviSpy combination was one targeting  independent investigative journalist Slaviša Milanov, whose work includes exposing the misuse of public funds to purchase luxury cars in Serbia’s poorest cities, and connections between local politicians and local construction companies financed by public money.

Police stopped Milanov in February as he traveled from Dimitrovgrad to Perot with a colleague, with an officer telling him he had to “go with them for testing for psychoactive substances,” he said in written comments to CyberScoop. Hours of detainment and questioning later, he went free and the police returned belongings to him — including his mobile phone.

He got suspicious about what they’d done with the phone after noticing his mobile data and wifi were turned off, and that a number of apps remained active when his phone was in police possession. Amnesty analyzed his phone and found traces of the Cellebrite-NoviSpy cocktail.

“It was a very unpleasant feeling,” Milanov said. “I was simultaneously confused, surprised, disappointed, and very angry.”

The cases Amnesty found raise questions about whether police could use artificial intelligence to map someone’s connections through phone data, Ó Cearbhaill said. Milanov said he thought that was precisely what authorities hoped to learn.

“From my point of view, the intention of the police was to obtain information about our work and data about our associates and citizens serving as sources of information,” Milanov said. “At the same time, I believe they wanted to exert pressure on me and our journalist team, which is the only independent media outlet in the geographic areas between [Serbian city] Niš and the Bulgarian Border. The incident was a demonstration of the power of an autocratic government.”

NoviSpy isn’t as powerful as Pegasus, Amnesty said, but it can capture personal data from a target phone and do things like activate a phone’s microphone or camera remotely. Amnesty “attributes the NoviSpy spyware to BIA with high confidence,” said Ó Cearbhaill. Pegasus and its ilk have gotten more expensive to use, he said, and more difficult as tech companies like Google and Apple mount defenses against infiltration.

The BIA did not answer questions from Amnesty before the report’s release, and did not respond to a request for comment from CyberScoop.

How the BIA obtained the use of Cellebrite tech is another topic of the report. Amnesty found the Norwegian Ministry of Foreign Affairs donated it to Serbia, and further stated in its report that the agency “failed to conduct an adequate due diligence process to assess and mitigate for the potential risks of this technology to human rights and to provide safeguards against its abuse.”

The ministry told Amnesty that it finds it “alarming that digital forensic tools, purchased through a project funded by Norway, may have been used to target members of civil society in Serbia.” It said the United Nations Office for Project Services, which was responsible for the project’s activities, is expected to conduct an investigation into the alleged misuse.

Amnesty said that Cellebrite did not answer some of its questions about the findings of the report, but in part responded that “Cellebrite has strict controls ensuring that our technology is used appropriately in legally sanctioned investigations.”

The post Amnesty International exposes Serbian police’s use of spyware on journalists, activists appeared first on CyberScoop.