OP 17 December, 2024 - 06:35 AM
Serbian authorities have repeatedly used Cellebrite's tools to hack into mobile phones and then infect them with powerful malware, including the devices of activists and a journalist, according to a new report by Amnesty International.
This report is important because it demonstrates that while Cellebrite devices are typically designed to hack into or extract data from phones that authorities have physical access to, they can also be used to install active surveillance systems. In some cases, phones were infected with malware and then returned to their owners. Amnesty also reports that together with Google researchers, it discovered a vulnerability common among many Android phones, which Cellebrite used for its own purposes. Qualcomm, whose chips were affected, has already fixed this vulnerability. In addition, according to Amnesty, Google remotely removed spyware from infected devices.
"I am concerned about the behavior of the police during the incident, especially the way they seized/extracted data from my mobile phone without following legal procedures. The fact that they extracted 1.6 GB of data from my phone, including personal, family and business information, as well as information about our colleagues and people acting as 'sources of information' for investigative journalism, is simply unacceptable," Slavisa Milanov, deputy editor and journalist of the Serbian edition of FAR, whose phone was exposed, told 404 Media. Milanov, among other things, covers corruption.
Cellebrite is an Israeli company that sells mobile forensics technology to law enforcement agencies and private companies around the world. One of its main products is UFED, which can come in the format of a tablet-sized device or PC software and is capable of providing access to data stored on mobile phones. Cellebrite tools can often bypass or brute force the password on the phone, allowing law enforcement to access it without the owner's consent.
Amnesty says its research is based on online interviews as well as two trips to Serbia in September and November, during which the organization interviewed 28 civil society representatives across the country. In addition, the experts conducted a forensic analysis of phones that their owners suspected were infected with spyware or had been hacked and exfiltrated and data extracted, as well as examined documents related to the transfer of Cellebrite technology to Serbian authorities.
The investigation began in 2021 when Amnesty received several reports from activists and a journalist in Serbia about suspicious activity on their mobile phones after meetings with Serbian law enforcement officers. In at least two cases, people contacted the police or met with authorities to report that they had been victims of a crime.
Amnesty claims that a forensic analysis of many devices has uncovered "new, previously undisclosed Android spyware," which Amnesty has dubbed NoviSpy. Amnesty's head of information security lab, Donnha O'Kerweill, told 404 Media that the organization does not know what Serbian authorities call the software, so it gave it the name "Novi" ("new" in Serbian).
Amnesty says Serbian authorities have either developed NoviSpy themselves or acquired it. Police install NoviSpy on phones when detaining, interrogating or arresting civil society representatives, Amnesty said. In a number of cases, the organization said, such detentions or interrogations appeared to have been organized specifically to infect the device.
In the case of Milanov, he told 404 Media that in February, together with his colleague, FAR editor-in-chief Petar Videnov, he was traveling to the city of Pirot in southeastern Serbia. At about 10:50 a.m., they were stopped by traffic police and asked for their IDs. According to Milanov, the police were talking on the phone at the same time. They said that Milanov needed to "pass a test for psychoactive substances."
At the police station, Milanov was required to turn off the Xiaomi Redmi Note 10S phone and hand over all personal belongings. In addition to the phone, Milanov gave away his wallet, keys and tobacco. According to Amnesty, he did not provide the police with the phone unlock code. Milanov says he was tested for alcohol and drugs, and both tests came back negative.
More than an hour after the stop, Milanov asked one of the policemen: "What's going on, are we done? I have to go to Pirot on business." The officer replied that they were waiting for the "chief" and left the room to make a few phone calls. "At some point, I hear him say on the phone: 'He's negative, I can't hold him anymore,'" Milanov recalls. Two more plainclothes officers then questioned Milanov in another building about his journalistic activities and funding for FAR, according to an Amnesty report. In the end, the authorities returned Milanov's belongings, and he was released. Later, he noticed strange things in the operation of his phone: disabled mobile Internet and Wi-Fi, as well as abnormally high battery consumption of some applications. According to him, he used the Stay Free app, which tracks phone activity, which showed that many apps were active while the device was in the possession of the police.
At the time, Milanov was unaware that authorities had used the Cellebrite tool to hack into his phone, according to Amnesty's forensic analysis. Analysis detected a Cellebrite binary called "falcon" on the device. "Amnesty International believes that the Cellebrite UFED system allowed Serbian authorities to guess or bypass the phone's lock code and install spyware on the device. Subsequent traces of the Cellebrite falcon file indicate that data extraction was carried out using UFED after the initial hack and installation of NoviSpy," the report says. Amnesty notes that it has found other cases of using Cellebrite to unlock phones before installing NoviSpy.
NoviSpy comes in the form of two applications that authorities install on the target device: 'com.serv.services' and 'com.accesibilityservice.' The former can collect call logs, contacts, text messages, and record audio through the phone's microphone. The second can discreetly take screenshots of the screen, Amnesty notes.
In one case, Amnesty researchers found that the Samsung Galaxy S24+ they were checking was still infected, and they were able to recover the surveillance logs and screenshots stored on the device. NoviSpy was configured to send stolen data to a server with an IP address of 195.178.51.251, the report notes. This IP address is within the narrow range in which Citizen Lab previously identified the FinFisher system in 2014. The public server with the same IP was named "DPRODAN-PC", according to the Amnesty report.
O'Kerweill pointed to an email from the hacking archive of the Italian company Hacking Team (2015), sent by someone from a Serbian state telecom operator, which discussed a demonstration of spyware with the same name as a PC associated with NoviSpy. The NoviSpy configuration file also contains a phone number associated with a person with the same name, Amnesty notes.
Among the screenshots taken, messages in Signal and WhatsApp were recorded, the report indicates. If a device that is one of the "ends" of an end-to-end encryption system is infected with malware, messages that would otherwise be protected from interception can become accessible to attackers.
After Amnesty reported NoviSpy to Google, Google was able to remotely remove active NoviSpy infections from other Android devices, the report said. A Google spokesperson confirmed that the company had cooperated with Amnesty. O'Kerwill noted, "I don't have definitive numbers from Google regarding the number of infections removed or detected, but we believe these attacks are fairly widespread."
Among other things, Amnesty discovered a vulnerability in Android devices based on Qualcomm chips that affected millions of phones around the world. O'Kerviall said Amnesty first noticed suspicious lines in the kernel log caused by the Cellebrite falcon binary. "The exploit failed several times, and we were able to see the logs from several hacking attempts," he explained. Amnesty suspected the exploitation of a zero-day Android vulnerability and reported it to Google, which subsequently identified several such vulnerabilities. Qualcomm released a patch in October 2024.
Serbia is also potentially the buyer of a number of remote espionage systems, such as FinFisher, Predator and Pegasus from NSO Group.
In a response to Amnesty included in the report, Victor Cooper, Cellebrite's Senior Director of Corporate Communications, said: "We carry out a number of human rights due diligence procedures before cooperating with law enforcement agencies in any country, as well as with other defence or civilian agencies. We also have an independent ethics and integrity committee that guides our approach." He added: "Cellebrite's digital forensics solutions are licensed solely for lawful use, require a warrant or consent, and assist law enforcement in post-crime investigations."
Cooper provided the same response to 404 Media and added that if Amnesty's information is confirmed during the Cellebrite investigation, it will mean a violation of the licensing agreement with Serbia. After that, Cellebrite will reconsider the feasibility of further cooperation with Serbia, which is one of the 100 partner countries of the company.
In another statement to 404 Media, Cooper said: "We are grateful to Amnesty International for bringing to the attention of the alleged misuse of our technology. We take seriously all allegations of possible misuse of our technology, which are contrary to both the express and implied terms of our license agreement. We are investigating the allegations contained in this report. If they are confirmed, we are ready to impose appropriate sanctions, including the termination of relations with any agencies involved."
source : https://www.404media.co/cellebrite-...sts-phone-cops-then-infected-it-with-malware/
This report is important because it demonstrates that while Cellebrite devices are typically designed to hack into or extract data from phones that authorities have physical access to, they can also be used to install active surveillance systems. In some cases, phones were infected with malware and then returned to their owners. Amnesty also reports that together with Google researchers, it discovered a vulnerability common among many Android phones, which Cellebrite used for its own purposes. Qualcomm, whose chips were affected, has already fixed this vulnerability. In addition, according to Amnesty, Google remotely removed spyware from infected devices.
"I am concerned about the behavior of the police during the incident, especially the way they seized/extracted data from my mobile phone without following legal procedures. The fact that they extracted 1.6 GB of data from my phone, including personal, family and business information, as well as information about our colleagues and people acting as 'sources of information' for investigative journalism, is simply unacceptable," Slavisa Milanov, deputy editor and journalist of the Serbian edition of FAR, whose phone was exposed, told 404 Media. Milanov, among other things, covers corruption.
Cellebrite is an Israeli company that sells mobile forensics technology to law enforcement agencies and private companies around the world. One of its main products is UFED, which can come in the format of a tablet-sized device or PC software and is capable of providing access to data stored on mobile phones. Cellebrite tools can often bypass or brute force the password on the phone, allowing law enforcement to access it without the owner's consent.
Amnesty says its research is based on online interviews as well as two trips to Serbia in September and November, during which the organization interviewed 28 civil society representatives across the country. In addition, the experts conducted a forensic analysis of phones that their owners suspected were infected with spyware or had been hacked and exfiltrated and data extracted, as well as examined documents related to the transfer of Cellebrite technology to Serbian authorities.
The investigation began in 2021 when Amnesty received several reports from activists and a journalist in Serbia about suspicious activity on their mobile phones after meetings with Serbian law enforcement officers. In at least two cases, people contacted the police or met with authorities to report that they had been victims of a crime.
Amnesty claims that a forensic analysis of many devices has uncovered "new, previously undisclosed Android spyware," which Amnesty has dubbed NoviSpy. Amnesty's head of information security lab, Donnha O'Kerweill, told 404 Media that the organization does not know what Serbian authorities call the software, so it gave it the name "Novi" ("new" in Serbian).
Amnesty says Serbian authorities have either developed NoviSpy themselves or acquired it. Police install NoviSpy on phones when detaining, interrogating or arresting civil society representatives, Amnesty said. In a number of cases, the organization said, such detentions or interrogations appeared to have been organized specifically to infect the device.
In the case of Milanov, he told 404 Media that in February, together with his colleague, FAR editor-in-chief Petar Videnov, he was traveling to the city of Pirot in southeastern Serbia. At about 10:50 a.m., they were stopped by traffic police and asked for their IDs. According to Milanov, the police were talking on the phone at the same time. They said that Milanov needed to "pass a test for psychoactive substances."
At the police station, Milanov was required to turn off the Xiaomi Redmi Note 10S phone and hand over all personal belongings. In addition to the phone, Milanov gave away his wallet, keys and tobacco. According to Amnesty, he did not provide the police with the phone unlock code. Milanov says he was tested for alcohol and drugs, and both tests came back negative.
More than an hour after the stop, Milanov asked one of the policemen: "What's going on, are we done? I have to go to Pirot on business." The officer replied that they were waiting for the "chief" and left the room to make a few phone calls. "At some point, I hear him say on the phone: 'He's negative, I can't hold him anymore,'" Milanov recalls. Two more plainclothes officers then questioned Milanov in another building about his journalistic activities and funding for FAR, according to an Amnesty report. In the end, the authorities returned Milanov's belongings, and he was released. Later, he noticed strange things in the operation of his phone: disabled mobile Internet and Wi-Fi, as well as abnormally high battery consumption of some applications. According to him, he used the Stay Free app, which tracks phone activity, which showed that many apps were active while the device was in the possession of the police.
At the time, Milanov was unaware that authorities had used the Cellebrite tool to hack into his phone, according to Amnesty's forensic analysis. Analysis detected a Cellebrite binary called "falcon" on the device. "Amnesty International believes that the Cellebrite UFED system allowed Serbian authorities to guess or bypass the phone's lock code and install spyware on the device. Subsequent traces of the Cellebrite falcon file indicate that data extraction was carried out using UFED after the initial hack and installation of NoviSpy," the report says. Amnesty notes that it has found other cases of using Cellebrite to unlock phones before installing NoviSpy.
NoviSpy comes in the form of two applications that authorities install on the target device: 'com.serv.services' and 'com.accesibilityservice.' The former can collect call logs, contacts, text messages, and record audio through the phone's microphone. The second can discreetly take screenshots of the screen, Amnesty notes.
In one case, Amnesty researchers found that the Samsung Galaxy S24+ they were checking was still infected, and they were able to recover the surveillance logs and screenshots stored on the device. NoviSpy was configured to send stolen data to a server with an IP address of 195.178.51.251, the report notes. This IP address is within the narrow range in which Citizen Lab previously identified the FinFisher system in 2014. The public server with the same IP was named "DPRODAN-PC", according to the Amnesty report.
O'Kerweill pointed to an email from the hacking archive of the Italian company Hacking Team (2015), sent by someone from a Serbian state telecom operator, which discussed a demonstration of spyware with the same name as a PC associated with NoviSpy. The NoviSpy configuration file also contains a phone number associated with a person with the same name, Amnesty notes.
Among the screenshots taken, messages in Signal and WhatsApp were recorded, the report indicates. If a device that is one of the "ends" of an end-to-end encryption system is infected with malware, messages that would otherwise be protected from interception can become accessible to attackers.
After Amnesty reported NoviSpy to Google, Google was able to remotely remove active NoviSpy infections from other Android devices, the report said. A Google spokesperson confirmed that the company had cooperated with Amnesty. O'Kerwill noted, "I don't have definitive numbers from Google regarding the number of infections removed or detected, but we believe these attacks are fairly widespread."
Among other things, Amnesty discovered a vulnerability in Android devices based on Qualcomm chips that affected millions of phones around the world. O'Kerviall said Amnesty first noticed suspicious lines in the kernel log caused by the Cellebrite falcon binary. "The exploit failed several times, and we were able to see the logs from several hacking attempts," he explained. Amnesty suspected the exploitation of a zero-day Android vulnerability and reported it to Google, which subsequently identified several such vulnerabilities. Qualcomm released a patch in October 2024.
Serbia is also potentially the buyer of a number of remote espionage systems, such as FinFisher, Predator and Pegasus from NSO Group.
In a response to Amnesty included in the report, Victor Cooper, Cellebrite's Senior Director of Corporate Communications, said: "We carry out a number of human rights due diligence procedures before cooperating with law enforcement agencies in any country, as well as with other defence or civilian agencies. We also have an independent ethics and integrity committee that guides our approach." He added: "Cellebrite's digital forensics solutions are licensed solely for lawful use, require a warrant or consent, and assist law enforcement in post-crime investigations."
Cooper provided the same response to 404 Media and added that if Amnesty's information is confirmed during the Cellebrite investigation, it will mean a violation of the licensing agreement with Serbia. After that, Cellebrite will reconsider the feasibility of further cooperation with Serbia, which is one of the 100 partner countries of the company.
In another statement to 404 Media, Cooper said: "We are grateful to Amnesty International for bringing to the attention of the alleged misuse of our technology. We take seriously all allegations of possible misuse of our technology, which are contrary to both the express and implied terms of our license agreement. We are investigating the allegations contained in this report. If they are confirmed, we are ready to impose appropriate sanctions, including the termination of relations with any agencies involved."
source : https://www.404media.co/cellebrite-...sts-phone-cops-then-infected-it-with-malware/