[ad_1]
This year, a Serbian journalist and activist had their phones hacked by local authorities using a mobile phone unlocking device made by forensic tools company Cellebrite. The authorities’ goal was not only to unlock phones to access their personal data, as Cellebrite allows, but also to install spyware to enable further surveillance. According to a new report by Amnesty International.
Amnesty International said in its report that it believes these are “the first criminally documented spyware infections that were enabled through the use” of Cellebrite tools.
This crude but effective technology is one of the many ways governments use spyware to monitor their citizens. In the past decade, organizations such as Amnesty International and the digital rights group Citizen Lab have documented dozens of cases in which governments have used advanced spyware made by Western surveillance technology vendors, such as NSO Group, Intellexa, and now-defunct spyware pioneer Hacking Team, among others. , to hack dissidents, journalists, and political opponents remotely.
Now, as remotely planted spyware and zero-day software become more expensive thanks to security improvements, authorities may have to rely more heavily on less sophisticated methods, such as physically getting their hands on the phones they want to hack.
Although many cases of spyware abuse have occurred around the world, there is no guarantee that it will not occur – or will not occur – in the United States. In november, Forbes reported The Department of Homeland Security’s Immigration and Customs Enforcement spent $20 million to acquire phone hacking and surveillance tools, including Cellebrite. Given the mass deportation campaign promised by President-elect Donald Trump,… Forbes Experts are reportedly concerned that ICE will increase its spying activities when the new administration takes control of the White House.
A brief history of early spyware
History tends to repeat itself. Even when something new (or undocumented) appears for the first time, it can actually be a repetition of something that has already happened.
Twenty years ago, when government spyware already existed but little was known within the antivirus industry charged with defending against it, actually planting spyware on a target’s computer was how cops could access their communications. Authorities had to physically gain access to the target’s device — sometimes by breaking into their home or office — and then manually install the spyware.
Contact us
Do you have more information about government spyware and its makers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, via Telegram and Keybase @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
This is why, for example, early versions of Hacking Team’s spyware from the mid-2000s were designed to run from a USB key or CD. And even earlier, in 2001, The FBI storms the office of gangster Nicodemo Scarfo To plant spyware designed to monitor what Scarfo types on his keyboard, with the aim of stealing the key he uses to encrypt his emails.
These techniques are due to popularity, if not necessity.
Citizen Lab documented a case earlier in 2024 in which the Russian intelligence agency FSB allegedly installed spyware on the phone of Russian citizen Kirill Parubets, an opposition political activist who had been living in Ukraine since 2022, while he was in custody. The Russian authorities had forced Parabots to give up his phone’s passcode before implanting a spyware capable of accessing his private data.
Stop and search
In recent cases in Serbia, Amnesty International found new spyware on the phones of journalist Slavisa Milanov and youth activist Nikola Ristic.
In February 2024, Milanov was stopped by local police in what appeared to be a routine traffic check. He was later taken to the police station, where agents took his Android phone, a Xiaomi Redmi Note 10S, during interrogation, according to Amnesty International.
When Milanov retrieved it, he said he found something strange.
“I noticed that my mobile data (data transfer) and Wi-Fi were turned off. The mobile data app in my mobile phone is always turned on. That was my first suspicion that someone had entered,” Milanov told TechCrunch in a recent interview. To my mobile phone.
It was then used, Milanov said Stay freea program that tracks the amount of time someone uses their apps, noted that “a lot of apps were active” while the phone was supposed to be off and in the hands of police, who he said never asked or forced him to give even his phone’s passcode. .
It showed that during the period from 11:54 a.m. to 1:08 p.m., the Settings and Security applications, the file manager, in addition to the Google Play Store, dialer, gallery, and contacts, were mainly activated, which coincides with the time the phone is turned on. . “I didn’t have it,” Milanov said.
“During that period, they extracted 1.6 GB of data from my mobile phone,” he said.
At that point, Milanov was “unpleasantly surprised and very angry,” and had a “bad feeling” about his privacy being compromised. He contacted Amnesty International to forensically examine his phone.
Donša O Serbhel, head of Amnesty International’s Security Lab, analyzed Milanov’s phone and found that it had indeed been unlocked with Cellebrite and installed Android spyware that Amnesty International calls NoviSpy, from the Serbian word for “new.”
Spyware is likely to be used “widely” in civil society
Amnesty International’s analysis of the NoviSpy spyware and its Operational Security Error Series, or OPSEC, suggests that Serbian intelligence developed the spyware.
According to the Amnesty International report, the spyware was used to “systematically and covertly infect mobile devices during arrest or detention, or in some cases, during media interviews with members of civil society. In multiple cases, arrests or detentions appear to have been organized to enable covert access.” to an individual’s device to enable data extraction or infection of the device, according to Amnesty International.
Amnesty International believes that NoviSpy was likely developed in the country, based on the fact that there were Serbian-language comments and text in the code, and that it was programmed to communicate with servers in Serbia.
A mistake by Serbian authorities allowed Amnesty International researchers to link NoviSpy to the Serbian Security Information Agency, known as Bezbedonosno-informaciona Agencija, or BIA, and one of its servers.
During their analysis, AI researchers found that NoviSpy is designed to communicate with a specific IP address: 195.178.51.251.
In 2015, the same IP address was linked to an agent at the Serbian BIA. at that time, Citizen Lab found that this specific IP address It identified itself as “DPRODAN-PC” on Shodan, a search engine that lists servers and computers exposed to the Internet. As it turns out, someone with an email address containing “dprodan” He was in touch with spyware maker Hacking Team about a demo in February 2012. According to leaked emails from Hacking Team, company employees gave a demo in the Serbian capital Belgrade around that date, leading Citizen Lab to conclude that “dprodan” is also a Serbian BIA . employee.
The same IP address range identified by Citizen Lab in 2015 (195.178.51.xxx) is still associated with the BIA, according to Amnesty International, which said it found that the BIA’s public website was recently hosted within that IP range.
Amnesty said it had conducted a forensic analysis of dozens of members of Serbian civil society, most of them Android users, and found other people infected with NoviSpy. Some clues inside the spyware code suggest that it is being used extensively by the British Intelligence Agency (BIA) and Serbian police, according to Amnesty International.
The BIA and the Serbian Interior Ministry, which oversees Serbian police, did not respond to TechCrunch’s request for comment.
The NoviSpy code contains what Amnesty International researchers believe could be an incremental user ID, which in the case of one victim was 621. In the case of another victim, who became infected about a month later, this number was higher than 640, indicating that the authorities had It infected more people. Of twenty people in that time period. Amnesty International researchers said they found a 2018-dated version of NoviSpy on VirusTotal, an online malware scanning repository, suggesting the malware was developed several years ago.
As part of its research into spyware used in Serbia, Amnesty International also identified a zero-day vulnerability in Qualcomm chipsets used against a Serbian activist’s device, likely using Cellebrite. Qualcomm announced in October that it had fixed the vulnerability after AI’s discovery.
When reached for comment, Cellebrite spokesman Victor Cooper said the company’s tools cannot be used to install malware, “and a third party would have to do it.”
A Cellebrite spokesperson declined to provide details about its customers, but added that the company “will conduct further investigations.” The company said that if Serbia breaches the end-user agreement, the company will “reassess whether it is one of the 100 countries we do business with.”
[ad_2]