Imagine police pulling you over for a routine traffic stop and then taking you to the station. After your release, you notice your phone behaving suspiciously. This is what happened to Serbian journalist Slaviša Milanov, who later discovered an undocumented Android spyware called “NoviSpy” installed on his phone.
Installed without consent
According to Amnesty International’s Security Lab, Slaviša discovered that his phone was acting strangely after leaving the police station. Someone had turned off the data and WiFi settings on his phone. Slaviša had the presence of mind to note that this could be a sign of hacking. Combined with the surveillance threats faced by journalists in Servbia, Slaviša contacted the Security Lab to analyze his device.
The organization analyzed his phone and discovered several traces indicating that someone had unlocked his device without his consent. It seems that the authorities had used a Cellebrite product to unlock the journalist’s phone. The authorities searched Slaviša’s device without his consent, as they didn’t inform him of their intent to search nor request for his passcode.
It also uncovered that someone had installed the Android spyware “NoviSpy.” This spyware would have allowed the attacker to capture sensitive personal data. It also gives the hacker the ability to turn on the phone’s microphone or camera remotely. This would allow the attacker to spy on their target and listen in to private conversations.
That being said, the Serbian police have refuted Amnesty’s report. They released a statement to the Associated Press claiming that the report is “absolutely incorrect”.
Qualcomm zero-day bug
It turns out that the spyware managed to work the way it did was due to an exploitation of a Qualcomm zero-day bug. Google’s Project Zero initially identified the flaw, CVE-2024-43047, as being exploited in October 2024. Qualcomm later patched the flaw in November.
Google’s Threat Analysis Group has discovered other flaws in addition to this one. Several reported security flaws remain unaddressed. BleepingComputer contacted Qualcomm for comment and learned that a fix for at least one flaw had been developed. Qualcomm is currently going through the disclosure process, with the fix expected to arrive in January 2025.
Technology is progressing rapidly. There is a lot of push for messages to be more private and secure. This is why more messaging apps are starting to get end-to-end encryption features, but this might not necessarily be the solution. At the end of the day, it’s a game of cat and mouse. The improvement of technology can be a double-edged sword. While it gives developers tools to make their services more secure, it also gives hackers more tools to crack it.
