Serbian police and intelligence authorities are using advanced phone spyware alongside mobile phone forensic products to unlawfully target journalists, environmental activists and other individuals in a covert surveillance campaign, Amnesty International claims. The new report entitled “A Digital Prison: Surveillance and the Suppression of Civil Society in Serbia”, documents how the mobile forensic products made by Israeli company Cellebrite are being deployed to extract data from mobile devices belonging to the citizens who tend to openly criticize the government.
In addition, the document reveals how the Serbian police and the Security Information Agency (BIA) have been using an Android spyware system, NoviSpy, to covertly infect individuals’ devices during periods of detention or police interviews.
“Our investigation reveals how Serbian authorities have deployed surveillance technology and digital repression tactics as instruments of wider state control and repression directed against civil society,” says Dinushika Dissanayake, Amnesty International’s Deputy Regional Director for Europe.
She adds that it also highlighted how Cellebrite mobile forensic products “can pose an enormous risk to those advocating for human rights, the environment and freedom of speech when used outside of strict legal control and oversight”.
BIA: We work exclusively in accordance with the laws of the Republic of Serbia
Amnesty International shared the findings of this research with the Serbian government ahead of the publication but did not receive a response.
However, commenting on the report by Amnesty International, the Serbian Security Information Agency (BIA) stated in today’s press release that “the trivial sensationalism of its content indicates the purpose of Amnesty International which is reflected in working for the interests of individual agencies and pressure groups”.
“The Security Information Agency works exclusively in accordance with the laws of the Republic of Serbia and therefore we are not even able to comment on meaningless statements from their article, just as we do not otherwise comment on similar content”, BIA stated.
Belgrade Centre for Security Policy demands an immediate investigation into the serious allegations
On the other hand, the Belgrade Centre for Security Policy (BCSP) think tank strongly condemns the misuse of digital technologies for citizens ‘ surveillance by the Serbian authorities, as documented in Amnesty International’s report.
The BCSP demands an immediate, transparent and independent investigation into these serious allegations, as well as criminal prosecution of those responsible from the police and the Security Information Agency.
“In a country where civil protests are becoming more massive and discontent with the regime is getting louder, these practices are a direct attack on basic freedoms of citizens, including the right to peaceful assembly, freedom of expression and association”, BCSP stated.
How does the spy technology work?
Amnesty International reports that Cellebrite, a firm founded and headquartered in Israel but with offices globally, develops products for law enforcement agencies and government entities.
It is claimed that this technology “enables the extraction of data from a wide range of mobile devices including some of the most recent Android devices and iPhone models, even without access to the device passcode”.
Furthermore, Amnesty International reveals that the Android spyware called NoviSpy provides Serbian authorities with extensive surveillance capabilities once installed on a target’s device, in spite of the fact that is less technically advanced than highly-invasive commercial spyware like Pegasus.
“NoviSpy can capture sensitive personal data from a target phone and provide capabilities to turn on a phone’s microphone or camera remotely, while Cellebrite forensic tools are used to both unlock the phone prior to spyware infection and also allow the extraction of the data on a device. Amnesty International uncovered forensic evidence showing how Serbian authorities used Cellebrite products to enable NoviSpy spyware infections of activists’ phones. In at least two cases, Cellebrite UFED exploits (software that takes advantage of a bug or vulnerability) were used to bypass Android device security mechanisms, allowing the authorities to covertly install the NoviSpy spyware during police interviews”, the article states.
The cases of an independent journalist and two civil rights activists
Amnesty reported that the forensic evidence proves that the NoviSpy spyware was installed while the Serbian police had possession of Serbian independent journalist Slaviša Milanov. In February 2024 he was arrested and detained by police under the pretext of performing a test for driving under the influence of alcohol.
Milanov’s Android phone was turned off when he surrendered it to police and at no point was he asked for nor did he provide the passcode. After his release, Slaviša noticed that his phone, which he had left at the police station reception during his interrogation, appeared to have been tampered with, and his phone data was turned off.
He requested Amnesty International’s Security Lab to conduct a forensic analysis of his phone. The analysis revealed that Cellebrite’s product was used to secretly unlock Milanov’s phone during his detention.
A second case in the report, involving an environmental activist, Nikola Ristić, found similar forensic evidence of Cellebrite products used to unlock a device to enable subsequent NoviSpy infection.
In another case, an activist from Krokodil, an organization promoting dialogue and reconciliation in the Western Balkans, had their phone infected with spyware during an interview with BIA officials in October 2024.
The activist was invited to BIA’s office in Belgrade to provide information about an attack on their offices by Russian-speaking people ostensibly in opposition to Krokodil’s public condemnation of Russia’s invasion of Ukraine.
Cellebrite stated for the report that “our digital investigative software solutions do not install malware nor do they perform real-time surveillance consistent with spyware or any other type of offensive cyber activity”.
Cellebrite stressed that its products “are licensed strictly for lawful use, require a warrant or consent to help law enforcement agencies with legally sanctioned investigations after a crime has taken place”.