Serbian Police Unlock and Plant ‘NoviSpy’ Spyware on Journalist’s Phone via Cellebrite

• Serbian authorities used the digital forensic tool Cellebrite to unlock and install spyware on the phones of a journalist and an activist.
• The journalist noticed unusual activity on his phone after it was confiscated hone during an apparently routine traffic stop.
• The spyware was traced back to Serbia's Security Information Agency.

Cellebrite, widely used for extracting data from mobile devices, not just unlocked devices for data extraction but enabled the installation of spyware and was used by Serbian police against two civilians, according to a report by Amnesty International.  

The new spyware, identified as "NoviSpy" by Amnesty’s Security Lab, was discovered on the phones of Serbian journalist Slaviša Milanov and youth activist Nikola Ristić. These infections reportedly occurred after Serbian police seized their phones during separate encounters under suspicious circumstances in 2024. 

The spyware, which Amnesty traced back to Serbia's Security Information Agency (BIA), allows authorities prolonged and covert access to personal communications and other data on the target's device.  

Milanov’s experience sheds light on the crude but effective methodology used. Milanov noticed unusual activity on his Xiaomi Redmi Note 10S after police had confiscated his phone during what seemed like a routine traffic stop. 

Using the StayFree application, he saw that multiple applications, including Security, File Manager, and Google Play Store, were active while the phone was in police possession. Milanov later learned from Amnesty researchers that 1.6 GB of his phone’s data had been extracted, and NoviSpy had been installed.  

Amnesty’s forensic analysis revealed that NoviSpy was designed to communicate with servers in Serbia and contained Serbian-language comments in its code, pointing directly to Serbian authorities as the spyware's creators and operators. Evidence linked the spyware to IP addresses associated with the Serbian BIA, further implicating state agencies in these privacy violations.   

Although crude compared to remotely deployed spyware like NSO Group’s Pegasus, this tactic is no less intrusive. Citizen Lab documented a similar incident earlier in 2024 in Russia, where authorities planted spyware on opposition activist Kirill Parubets’ phone after he was forced to unlock it while in custody.  

Spyware infections have long been linked to authoritarian governments using advanced surveillance tools from firms such as NSO Group and Intellexa. These tools have allowed governments to target activists, journalists, and political dissidents worldwide. Now, as seen in Serbia, governments are also relying on physical access to devices, alongside standard hacking strategies, to deploy spyware.  

Amnesty noted sequential user IDs in NoviSpy infections, indicating that dozens, if not hundreds, of users in Serbia’s civil society could have been affected over the spyware’s six-year history.  

Cellebrite denied responsibility for enabling spyware installation. A spokesperson stated that its tools cannot install malware, and any such action requires a third-party mechanism, adding that it is investigating potential violations of its end-user agreement by Serbian authorities and may reevaluate its relationship with the country if violations are confirmed.