News

NoviSpy Exposed: Tracing Government-Linked Surveillance in Serbia

Unpacking the tools, tactics, and implications of Serbia’s NoviSpy operation

By: David Stevanović

In an age of growing digital threats, the protection of personal data has become more urgent than ever. Recent research has uncovered a previously undocumented Android spyware, now known as NoviSpy, which appears to be part of a troubling trend: the use of invasive mobile applications by local government actors to monitor individuals of interest. This blog post offers an overview of the findings on NoviSpy, examining its technical design, operational functionality, and the broader implications for cybersecurity and digital rights. 

NoviSpy is the moniker of a recently discovered Android spyware linked to Serbian government agencies and used to surveil journalists, activists, and civil society members. The spyware was typically installed after a person’s phone was confiscated  – either during arrest or when temporarily handed over prior to a police questioning – with the help of a forensic tool produced by Cellebrite. The investigation began when an individual suspected their phone was compromised. A forensic analysis using tools such as the Mobile Verification Toolkit and Androidqf confirmed the presence of NoviSpy. Although active deployment appears to have ceased following its exposure, the case raises ongoing concerns about targeted surveillance and digital security.

NoviSpy operated through two main components:

  • com.serv.services, referred to as NoviSpyAdmin, and
  • com.accesibilityservice, referred to as NoviSpyAccess.

These components worked in tandem to extract sensitive data from the device and to monitor nearly every aspect of the user’s activity.

NoviSpyAdmin relied on extensive system permissions –  most notably the Device Admin privilege, from which it derives its name – to collect sensitive data. This included access to contacts, SMS messages, call logs, audio recordings, and even live  phone call monitoring. It communicated with a remote server using FTP (File Transfer Protocol) and also responded to SMS-based commands. To secure the data in transit, NoviSpyAdmin used AES (Advanced Encryption Standard), a symmetric encryption method. However, the encryption key was hardcoded into the application, exposing a critical vulnerability and reflecting poor security design. Additionally, Serbian-language strings were found in the source code, further supporting the theory that NoviSpy was developed locally. 

More sophisticated than its counterpart, NoviSpyAccess was named for its exploitation of Android’s accessibility services – features intended to support users with disabilities – to gain near-total control over the device. With these permissions, it could capture screenshots, record from the camera, read notifications, track the user’s location, and exfiltrate all collected data to a remote server.

The application also included several advanced features to enhance monitoring and evade detection. It used the Tor network to anonymize its communications and ADB (Android Debug Bridge) to execute shell commands remotely. Additionally, it employed a custom implementation of AES encryption to secure the data before transmission, further obscuring its presence and complicating forensic analysis.

The research uncovered several critical aspects of both NoviSpyAdmin and NoviSpyAccess:

  1. Difference in complexity

NoviSpyAdmin employed relatively simple methods for data extraction, making it more limited in scope. In contrast, NoviSpyAccess demonstrated a far more advanced architecture, reflecting its broader and more invasive functionalities. 

  1. Hard-coded credentials

Both components contained hard-coded values – including encryption keys, usernames, IP addresses, and other configuration parameters – used to facilitate their operation. While this design choice enabled quick deployment and potential mass compromise of devices, it also introduced significant security flaws, making the spyware easier to detect, reverse-engineer, and analyze.

  1. Network infrastructure tied to the state

Analysis of the IP addresses used by NoviSpy revealed links to state-operated internet service providers such as Telekom Srbija, as well as to infrastructure associated with government agencies, including the Security Information Agency (BIA). Combined with the use of state-affiliated forensic tools during phone extractions, these connections strongly indicate direct government involvement in the spyware’s deployment.

The investigation into NoviSpy highlights the evolving nature of spyware threats in modern mobile environments. While NoviSpyAdmin application represents a more traditional approach to data exfiltration and monitoring, NoviSpyAccess reveals the dangerous potential of sophisticated, multi-layered spyware, capable of seizing full control over a device.

For everyday users, this serves as a critical reminder to:

  • Stay informed about emerging digital threats 
  • Use security tools and applications that provide layered protection
  • Advocate for stronger privacy regulations to safeguard against invasive technologies

As technology continues to evolve, so must our efforts to protect personal data from increasingly sophisticated threats like NoviSpy.

Related content

Spyware’s First Step: A Systematic Analysis of Exploits Used for Mobile Device Compromise

How forensic analysis uncovered manipulation, exploitation, and the hidden risks behind one of digital forensics’ most powerful tools By: Boris Babović A re-examination of data from the analysis of devices seized from Serbian activists — originally conducted last year by the international organization Amnesty International — reveals that the Cellebrite UFED forensic tool has the […]

Cellebrite halts use of its forensic tool in Serbia

UPDATE 28 February 2025: Amnesty International’s Security Lab found one more case of abuse of Cellebrite’s tool on a phone of a student activist, who was held on 25 December after attempting to attend the SNS rally in Sava centar. More information and technical findings available at: https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/ The digital forensics tool is withdrawn from […]

MUP and BIA illegally hacking phones of activists and journalists

Proven use of spyware and forensic tools contrary to law The use of spyware represents a serious attack on human rights, freedom of expression and privacy of citizens. In Serbia its use is becoming a common practice. A new report by Amnesty International indicates widespread use of spyware against activists, journalists and members of civil society by […]