From Imports to In-House: The Evolving Arsenal of Surveillance in Serbia

How NoviSpy marked a shift from foreign spyware to domestic tools – and what that means for citizens under watch

By: Ivana Jovanović

Mercenary spyware, specialized malicious software developed by private firms and marketed to governments as tools for fighting crime and terrorism, finds most of its customer base in law enforcement and intelligence agencies. Its covert and unlawful use, however, has become a growing global concern in recent years.  

In Serbia, public awareness of such surveillance practices remained limited until December 2024, when researchers uncovered NoviSpy, a domestically developed spyware allegedly deployed by Serbian government agencies. This discovery has signaled a local turn in surveillance strategy, not just a technical curiosity, and has prompted urgent questions: What do we really know about the digital surveillance practices of Serbian authorities? And what are the implications of NoviSpy for the privacy and rights of Serbian citizens? 

Building on previous research and newly gathered forensic evidence, this investigation seeks to answer those questions. It begins with a timeline of publicly documented spyware use by Serbian government agencies in recent years, then turns to a case study involving a targeted Serbian official and the spyware itself.  

The earliest publicly available information linking Serbian government agencies to spyware vendors concerns the Hacking Team – a now-defunct Milan-based company known for selling offensive technology software to governments worldwide. In 2015 the company suffered a major data breach that exposed internal emails, files, and source code. Among the leaked material were correspondences from 2011 showing that two separate deals were being negotiated with Serbian government agencies. While these talks appeared  promising, the exchange eventually stalled – possibly due to competition from another vendor offering the notorious FinFisher spyware suite.  

Unlike Hacking Team’s tools, which apparently never took hold in Serbia, the FinFisher spyware suite has been detected targeting Serbian citizens. In 2013, a global investigation into FinFisher’s use revealed a likely Serbian customer. Further analysis in 2015 identified servers linked to FinSpy, with IP addresses directly connected to a Serbian state security agency.  

Another apparent attempt to enter the Serbian market came from Cyberbit, an Israeli cybersecurity company whose primary product was a spyware suite targeting personal computers. Although no formal contracts with Serbian government agencies have been documented, demo presentations were reportedly given to potential clients in Serbia in 2017.  

One of the most notorious spyware products currently in use is Intellexa’s Predator, traces of which have been detected in Serbia through active monitoring infrastructure. Publicly available indicators of compromise (IOCs), which largely consist of domain names used to target devices globally, include several linked to Serbian customers. In a dataset of over 600 Predator-associated domains, seven were found to be relevant to Serbia – six of which were registered with a domain hosting provider based in the country. While this alone does not definitively confirm the existence of Serbian Predator clients, the domain names and hosting patterns suggest a strong likelihood of targeting activities linked to Serbia. 

Pegasus, the spyware developed by NSO Group, is widely known for being used to target dissidents, CSOs, and opposition figures worldwide. Public reports documenting known Pegasus indicators of compromise list various domains and email addresses used in targeting operations. Unlike Predator, however, Pegasus-related infrastructure does not appear to include domains explicitly linked to Serbia. Previous research also suggests that Pegasus campaigns rely more heavily on email-based attack vectors, indicating a different deployment strategy.

NoviSpy is the most recent and, notably, the only domestically developed spyware known to be used by Serbian government agencies. Unlike Predator and Pegasus, which can be deployed remotely, NoviSpy requires physical access to the target device for installation. According to reports, this has been done using the Cellebrite UFED forensic suite. One high-profile case believed to involve NoviSpy is that of police general Slobodan Malešić, who was placed under surveillance prior to his arrest in 2022. According to his own account, his phone was briefly out of his possession only once – when he was required to leave it in a wooden box before a meeting with the Minister of Interior in November of 2021.  

Given the public account of Malešić’s mobile surveillance and what is known about NoviSpy’s operational methods, it is plausible that the tool was used to monitor his device.  

As part of this investigation, we analyzed two mobile devices belonging to individuals who suspected their phones had been tampered with. To detect traces of malicious software, we performed data extraction and analysis using digital forensic tools designed to identify known malware through public indicators of compromise, including Mobile Verification Toolkit and AndroidQF. The analysis produced positive results indicating that Cellebrite UFED had been used on both devices. Additionally, the second device showed clear signs of NoviSpy infection. Through examination of system logs and installed applications, we identified two executables linked to NoviSpy: com.serv.services and com.accesibilityservice, corresponding to what are known as NoviSpy Admin and NoviSpy Access, respectively.  

The primary component of the spyware, NoviSpy Access, included several modules: database, filesystem access, handler and listener routines, media collection, network communication, utility and program configuration, and the main execution module. Initial analysis revealed that many of the declared variable values were hardcoded, providing additional insight  – including IP addresses used for backend communication with control servers.

One particularly noteworthy component of the spyware was the media package within the com.accessibilityservice project. This package contains Java (Kotlin-based) classes responsible for functionalities such as MP3 audio recording, voice activity detection (VAD), and camera access. The classes Speech Recorder, MP3VADRecorder, and MP3Recorder all extend an abstract class called AudioRecorder, which defines basic methods such as open(), start(), and stop(). 

While CameraManager was not part of AudioRecorder class hierarchy, it could covertly control camera activity. Both CameraManager and RecordingController operated partially independently from the main audio recording structure. Based on the implemented classes and methods, the media package appeared to be primarily focused on microphone access and control – including the covert activation of the microphone and continuous audio recording on the device. 

In addition to recording audio, accessing the camera, and taking screenshots, the spyware was capable of traversing the file system, collecting and exfiltrating files, sending messages to a backend server, accessing GPS location data, and gathering a range of personal information.  This includes SMS messages,  contact lists, application data, browsing history, and detailed device metadata – with the potential for even broader surveillance functionality. 

The spyware’s encryption mechanisms were also defined in the source code. An abstract class named CryptoProvider included a subclass that implements AES encryption. Notably, the AES block cipher appeared to be implemented from scratch, rather than relying on standard cryptographic libraries.  

The com.serv.services component or the NoviSpy Admin  functioned as the spyware’s backend controller. It processed commands and coordinated data collection from the infected device. The module included numerous classes responsible for initiating processes, logging activity, and collecting various types of data. 

While the methods of spyware deployment in Serbia have evolved over time, the use of surveillance technology by state agencies appears more widespread than ever. Government actors increasingly target individuals they perceive threats, and recent trends suggest a shift toward more aggressive, visible tactics. Rather than relying on costly, sophisticated tools,  agencies now appear to favor simpler and cheaper alternatives. This shift also signals a broader move from targeted to mass surveillance, with NoviSpy serving as a key indicator of that trajectory. Although currently limited to physical deployment, it may only be a matter of time before a new NoviSpy-like tool emerges – one capable of remote infection – posing serious risks to privacy, civil liberties, and human rights in Serbia.