A recent report by Amnesty International has uncovered a disturbing trend of government surveillance in Serbia, where authorities used Cellebrite forensic tools to hack into the phones of journalists and activists, installing spyware to monitor their activities. This is the first documented case of spyware infections enabled by the use of Cellebrite tools, according to Amnesty.

The report highlights the case of a Serbian journalist and an activist who had their phones hacked by local authorities using a cellphone-unlocking device made by Cellebrite. The goal was not only to unlock the phones to access their personal data but also to install spyware to enable further surveillance. This crude but effective technique is one of the many ways that governments use spyware to surveil their citizens.

In the past decade, organizations like Amnesty and digital rights group Citizen Lab have documented dozens of cases where governments used advanced spyware made by Western surveillance tech vendors, such as NSO Group, Intellexa, and the now-defunct spyware pioneer Hacking Team, among others, to remotely hack dissidents, journalists, and political opponents. However, as zero-days and remotely-planted spyware become more expensive due to security improvements, authorities may have to rely more on less sophisticated methods, such as getting their hands physically on the phones they want to hack.

The use of Cellebrite tools in Serbia raises concerns about the potential for similar surveillance activities in other countries, including the United States. In November, Forbes reported that the Department of Homeland Security's Immigration and Customs Enforcement (ICE) spent $20 million to acquire phone hacking and surveillance tools, among them Cellebrite. Given President-elect Donald Trump's promised mass deportation campaign, experts are worried that ICE will increase its spying activities when the new administration takes control of the White House.

A brief history of early spyware reveals that physically planting spyware on a target's computer is not a new technique. Twenty years ago, authorities had to have physical access to a target's device — sometimes by breaking into their home or office — then manually install the spyware. This technique is returning to popularity, if not for necessity.

In the recent cases in Serbia, Amnesty found a novel spyware on the phones of journalist Slaviša Milanov and youth activist Nikola Ristić. In February 2024, local police stopped Milanov for what looked like a routine traffic check. He was later brought into a police station, where agents took away his Android phone, a Xiaomi Redmi Note 10S, while he was being questioned. When Milanov got his phone back, he noticed that his mobile data and Wi-Fi were turned off, and he suspected that someone had entered his mobile phone.

Milanov used StayFree, a software that tracks how much time someone uses their apps, and noticed that "a lot of applications were active" while the phone was supposedly turned off and in the hands of the police, who he said had never asked or forced him to give up his phone's passcode. He contacted Amnesty to get his phone forensically checked, and Donncha Ó Cearbhaill, the head of Amnesty's Security Lab, analyzed Milanov's phone and indeed found that it had been unlocked using Cellebrite and had installed an Android spyware that Amnesty calls NoviSpy, from the Serbian word for "new."

Amnesty's analysis of the NoviSpy spyware and a series of operational security, or OPSEC, mistakes point to Serbian intelligence as the spyware's developer. The spyware was used to "systematically and covertly infect mobile devices during arrest, detention, or in some cases, informational interviews with civil society members. In multiple cases, the arrests or detentions appear to have been orchestrated to enable covert access to an individual's device to enable data extraction or device infection," according to Amnesty.

Amnesty believes NoviSpy was likely developed in the country, judging from the fact that there are Serbian language comments and strings in the code, and that it was programmed to communicate with servers in Serbia. A mistake by the Serbian authorities allowed Amnesty researchers to link NoviSpy to the Serbian Security Information Agency, known as Bezbedonosno-informaciona Agencija, or BIA, and one of its servers.

Cellebrite's spokesperson Victor Cooper said that the company's tools cannot be used to install malware, and a "third-party would have to do that." The company said if Serbia broke its end-user agreement, the company would "reassess if they are one of the 100 countries we do business with."

The use of Cellebrite tools in Serbia raises important questions about the responsibility of surveillance tech vendors in preventing human rights abuses. As governments increasingly rely on these tools to surveil their citizens, it is essential to hold these companies accountable for their role in enabling privacy violations.

The incident also highlights the need for individuals to be vigilant about their digital security and privacy. With governments and surveillance tech vendors continually developing new methods to hack into devices, it is crucial for individuals to take proactive steps to protect their data and devices.

As the world becomes increasingly dependent on digital technologies, the importance of protecting individual privacy and preventing government surveillance cannot be overstated. The Serbian authorities' use of Cellebrite tools to hack into phones is a stark reminder of the need for robust safeguards and accountability mechanisms to prevent such abuses.