NoviSpy Exposed: Tracing Government-Linked Surveillance in Serbia

Unpacking the tools, tactics, and implications of Serbia’s NoviSpy operation

By: David Stevanović

In an age of growing digital threats, the protection of personal data has become more urgent than ever. Recent research has uncovered a previously undocumented Android spyware, now known as NoviSpy, which appears to be part of a troubling trend: the use of invasive mobile applications by local government actors to monitor individuals of interest. This blog post offers an overview of the findings on NoviSpy, examining its technical design, operational functionality, and the broader implications for cybersecurity and digital rights. 

NoviSpy is the moniker of a recently discovered Android spyware linked to Serbian government agencies and used to surveil journalists, activists, and civil society members. The spyware was typically installed after a person’s phone was confiscated  – either during arrest or when temporarily handed over prior to a police questioning – with the help of a forensic tool produced by Cellebrite. The investigation began when an individual suspected their phone was compromised. A forensic analysis using tools such as the Mobile Verification Toolkit and Androidqf confirmed the presence of NoviSpy. Although active deployment appears to have ceased following its exposure, the case raises ongoing concerns about targeted surveillance and digital security.

NoviSpy operated through two main components:

• com.serv.services, referred to as NoviSpyAdmin, and
• com.accesibilityservice, referred to as NoviSpyAccess.

These components worked in tandem to extract sensitive data from the device and to monitor nearly every aspect of the user’s activity.

NoviSpyAdmin relied on extensive system permissions –  most notably the Device Admin privilege, from which it derives its name – to collect sensitive data. This included access to contacts, SMS messages, call logs, audio recordings, and even live  phone call monitoring. It communicated with a remote server using FTP (File Transfer Protocol) and also responded to SMS-based commands. To secure the data in transit, NoviSpyAdmin used AES (Advanced Encryption Standard), a symmetric encryption method. However, the encryption key was hardcoded into the application, exposing a critical vulnerability and reflecting poor security design. Additionally, Serbian-language strings were found in the source code, further supporting the theory that NoviSpy was developed locally. 

More sophisticated than its counterpart, NoviSpyAccess was named for its exploitation of Android’s accessibility services – features intended to support users with disabilities – to gain near-total control over the device. With these permissions, it could capture screenshots, record from the camera, read notifications, track the user’s location, and exfiltrate all collected data to a remote server.

The application also included several advanced features to enhance monitoring and evade detection. It used the Tor network to anonymize its communications and ADB (Android Debug Bridge) to execute shell commands remotely. Additionally, it employed a custom implementation of AES encryption to secure the data before transmission, further obscuring its presence and complicating forensic analysis.

The research uncovered several critical aspects of both NoviSpyAdmin and NoviSpyAccess:

1. Difference in complexity

NoviSpyAdmin employed relatively simple methods for data extraction, making it more limited in scope. In contrast, NoviSpyAccess demonstrated a far more advanced architecture, reflecting its broader and more invasive functionalities. 

2. Hard-coded credentials

Both components contained hard-coded values – including encryption keys, usernames, IP addresses, and other configuration parameters – used to facilitate their operation. While this design choice enabled quick deployment and potential mass compromise of devices, it also introduced significant security flaws, making the spyware easier to detect, reverse-engineer, and analyze.

3. Network infrastructure tied to the state

Analysis of the IP addresses used by NoviSpy revealed links to state-operated internet service providers such as Telekom Srbija, as well as to infrastructure associated with government agencies, including the Security Information Agency (BIA). Combined with the use of state-affiliated forensic tools during phone extractions, these connections strongly indicate direct government involvement in the spyware’s deployment.

The investigation into NoviSpy highlights the evolving nature of spyware threats in modern mobile environments. While NoviSpyAdmin application represents a more traditional approach to data exfiltration and monitoring, NoviSpyAccess reveals the dangerous potential of sophisticated, multi-layered spyware, capable of seizing full control over a device.

For everyday users, this serves as a critical reminder to:

• Stay informed about emerging digital threats 
• Use security tools and applications that provide layered protection
• Advocate for stronger privacy regulations to safeguard against invasive technologies

As technology continues to evolve, so must our efforts to protect personal data from increasingly sophisticated threats like NoviSpy.