Cellebrite Blocks Serbia from Using Its Forensic Solution Amid Allegations of Abuse

A shocking revelation has come to light regarding the Israeli company Cellebrite, a leading provider of digital forensic solutions. In December 2024, Amnesty International published a report detailing how Serbian police used Cellebrite's forensics tools to unlock and infect the phones of a local journalist and activist. The move by Cellebrite has left many questioning the ethics of their business practices.

The report found that Serbian authorities utilized Cellebrite UFED exploits to bypass Android security and secretly install spyware, dubbed NoviSpy, on activists' phones during police interviews. NoviSpy is a newly discovered Android spyware that enables Serbian authorities to surveil targets by capturing personal data and remotely activating microphones or cameras.

Amyesty International found forensic evidence linking Cellebrite tools to NoviSpy infections, revealing that Serbian police used Cellebrite UFED exploits to bypass Android security and secretly install the spyware on activists' phones during police interviews. The malware is deployed via the Android Debug Bridge (adb) command-line utility.

"Serbian police and intelligence authorities are using advanced phone spyware alongside mobile phone forensic products to unlawfully target journalists, environmental activists and other individuals in a covert surveillance campaign, a new Amnesty International report has revealed," reported Amnesty International. "The Serbian police and the Security Information Agency (Bezbedonosno-informativna Agencija – BIA) have used a bespoke Android spyware system, NoviSpy, to covertly infect individuals' devices during periods of detention or police interviews."

Cellebrite has announced that it is suspending the provision of its technology to Serbia due to reports of abuse by local police. "After a review of the allegations brought forth by the December 2024 Amnesty International report, Cellebrite took precise steps to investigate each claim in accordance with our ethics and integrity policies. We found it appropriate to stop the use of our products by the relevant customers at this time," reads the announcement.

The move by Cellebrite comes as Amnesty International calls for Serbia to commit to immediately stopping the use of highly invasive spyware and carrying out prompt, independent, and impartial investigations into all documented cases of unlawful digital surveillance. The organization also demands that Serbia takes concrete steps to ensure that digital technologies are not misused to violate human rights.

"In at least two cases Amnesty International documented, the Cellebrite UFED product and associated exploits were used to covertly bypass phone security features, enabling Serbian authorities to infect the devices with NoviSpy spyware. These covert infections, which also occurred during interviews with police or BIA, were only possible because of the capabilities provided by advanced technology like Cellebrite UFED to bypass device encryption," reads the report published by Amnesty.

Amyesty International's Security Lab also discovered that the extraction tool Cellebrite UFED exploited a Qualcomm Multiple Chipsets Use-After-Free zero-day vulnerability CVE-2024-43047, which Google patched in November 2024. A joint effort of Amnesty International and Google allowed to identify the exploit from the analysis of forensic logs found on the phone of a protest organizer detained by Serbian police.

Other targets of the NoviSpy spyware campaign included the activist Nikola Ristić, environmental activist Ivan Milosavljević Buki, and an unnamed activist from Krokodil, a Belgrade-based NGO. Serbia's police labeled the Amnesty report as "absolutely incorrect," claiming that the forensic tool is used in the same way by other police forces around the world.

"Serbia must commit to immediately stop using highly invasive spyware and carry out prompt, independent and impartial investigations into all documented and reported cases of unlawful digital surveillance. It also must take concrete steps to ensure that digital technologies are not misused to violate human rights, including by putting in place and robustly enforcing a legal framework that provides meaningful procedural safeguards, effective systems of control and oversight through judicial review, and effective mechanisms for redress for victims," concludes the report.