Revealing NoviSpy: Technical Analysis of a Serbian Android Spyware

How forced-root installation, systematic permission abuse, and stealth SMS command-and-control expose Serbia’s expanding digital repression

By: Janko Marković

In recent years, state-driven surveillance in Serbia has intensified considerably, evolving from sporadic interventions into a more systematic form of digital repression. Within this troubling landscape, NoviSpy has emerged as a custom-built Android spyware, reportedly engineered to exploit vulnerabilities in Android systems and enable sustained data harvesting. The public first became aware of NoviSpy following Amnesty International’s report in December 2024, which revealed its use in the targeted state surveillance of Serbian journalists and activists. Building on those revelations, this in-depth analysis examines NoviSpy’s technical makeup, infection vectors, complex persistence mechanisms, and broader surveillance implications, as documented through detailed forensic and static analysis.

Android’s core security architecture is built on a Linux kernel that employs robust sandboxing techniques to isolate applications and control their access to system resources. Each Android app is assigned a unique User ID (UID), which ensures strict separation of data and prevents unauthorized cross-app access. This model significantly enhances user privacy and system security by restricting illegitimate interactions between apps.

Despite Android’s robust security architecture, attackers have leveraged physical access and external forensic tools to compromise targeted devices. During police detentions, tools such as Cellebrite UFED are used to bypass lock-screen protections and perform forced rooting. This privilege escalation enables the installation of NoviSpy, granting it root-level access and unrestricted control over the system.

NoviSpy consists of two tightly interlinked Android applications: NoviSpyAdmin (com.serv.services) and NoviSpyAccess (com.accesibilityservice). Each serves a distinct but complementary function, together forming a targeted surveillance toolset designed to operate with elevated system privileges. 

The NoviSpyAdmin component requests extensive permissions through the AndroidManifest.xml file, exploiting them to enable broad and intrusive device surveillance. It abuses Android’s BroadcastReceiver mechanisms to intercept and redirect SMS messages in real time, forwarding selected communications from the user’s inbox without their knowledge. The app extracts detailed call history from Android’s CallLog content providers and uses the MediaRecorder API to record audio covertly. Additionally, it employs PowerManager.PARTIAL_WAKE_LOCK to maintain background CPU activity, allowing continuous audio capture without any user notification.

In addition, the NoviSpyAdmin component employs continuous location tracking by interfacing directly with Android’s LocationManager. It subscribes to location updates from both GPS and network-based sources, enabling accurate real-time monitoring of the user’s movements.

Notably, NoviSpyAdmin maintains persistence by abusing Android’s Device Administrator API. By requesting and obtaining device administrator privileges, as declared in its manifest, NoviSpyAdmin gains elevated permissions that make removal through standard user actions difficult. It also registers a receiver for the BOOT_COMPLETED broadcast intent, allowing it to relaunch automatically after the device is restarted.

The NoviSpyAccess component exploits Android’s AccessibilityService API, a framework originally intended to assist users with disabilities, in order to enable extensive and intrusive monitoring of user activity.

This component uses generic shell instructions (e.g., screencap -p) to periodically capture screenshots of user interfaces, enabling ongoing surveillance of sensitive content such as  private conversations and messaging app activity (e.g., WhatsApp, Viber). NoviSpyAccess also exerts covert control over the device’s cameras, remotely activating them to capture images and videos, which are then exfiltrated – encrypted and transmitted – without the user’s knowledge.

In addition, NoviSpyAccess leverages Android’s real-time location services,  combining GPS and network-based signals to maintain continuous geolocation tracking. This allows for persistent monitoring of user movements, even across varied physical environments or signal conditions.

NoviSpyAccess reinforces its persistence by attempting to automatically re-enable Accessibility privileges after each device reboot, ensuring continued spyware functionality without requiring the user interaction.

Detailed static analysis of NoviSpy’s command-and-control infrastructure reveals a complex and well-organized communication network involving servers based in Serbia. These servers facilitate continuous and secure data exfiltration and enable reliable remote command and control of the infected devices.

One of the most critical features of NoviSpy is its built-in SMS-based command-and-control system. Instead of relying on a constant internet connection, attackers can remotely manage the spyware in real time by sending specially crafted SMS commands. These commands can toggle audio recording, configure data exfiltration intervals, trigger stealthy screenshots, and activate the device’s camera. This offline-capable control channel enhances both the operational stealth and resilience of the spyware in unreliable or restricted network environments.

NoviSpy employs a set of features designed to ensure long-term presence and covert operation across various environments.

Device Administrator Rights: By exploiting Android’s Device Administration API, NoviSpy acquires elevated system privileges that make it resistant to standard user-initiated uninstallation. These permissions allow it to retain control over critical device functions, enabling its automatic restart after a system reboot.

Accessibility Service Misuse: Continuous surveillance is supported by tactics aimed at regaining AccessibilityService privileges after device restarts or user reactivation. These methods enable NoviSpyAccess to maintain functionality while bypassing standard user security safeguards.

Persistent Foreground and Background Services: NoviSpy leverages Android’s Service.START_STICKY flag to sustain its background operations. This mechanism allows the spyware to  resume automatically after interruptions such as low-memory termination or forced app closures.

System Broadcast Receivers: By registering receivers for critical system events such as BOOT_COMPLETED and connectivity changes, NoviSpy ensures it can react immediately upon device startup or network reconnection, enabling continuous operation without requiring user interaction.

Taken together, NoviSpy’s capabilities reveal critical weaknesses in Android’s security architecture, particularly in the areas of permission abuse and persistence. Its layered control mechanisms and deep integration with core Android services pose significant risks to user privacy, civil liberties, and overall digital security. The spyware’s extensive data collection, embedded  within standard Android modules, presents serious challenges for contemporary cybersecurity practices and detection mechanisms.

Given NoviSpy’s and similar spyware strong persistence mechanisms and wide-ranging surveillance capabilities, we emphasize standard prevention protocols:

• Regular security updates: Keeping devices up to date with the latest security patches is  vital for reducing vulnerabilities commonly exploited by spyware.
• Use of forensic monitoring tools: Periodic scans using advanced tools such as Mobile Verification Toolkit (MVT) can help detect spyware activity early and support incident response.
• Strict permission management: Limiting high-risk permissions, particularly AccessibilityService and Device Administrator access, can significantly hinder spyware from gaining persistence or conducting intrusive surveillance.
• User awareness and training: Promoting user education to recognize signs of compromise, understand permission abuse, and adopt routine device hygiene practices is critical to reducing spyware risks and improving overall cybersecurity posture.

NoviSpy exemplifies the evolving threat posed by targeted spyware and the vulnerabilities within Android’s security architecture. Its methods highlight the urgent need for technical countermeasures, forensic capabilities, and stronger safeguards at both the system and policy levels. Addressing these challenges requires a coordinated response – combining robust cybersecurity practices, user education, and enforceable regulatory standards – to protect individual rights and ensure the integrity of mobile digital environments.