Spyware’s First Step: A Systematic Analysis of Exploits Used for Mobile Device Compromise

How forensic analysis uncovered manipulation, exploitation, and the hidden risks behind one of digital forensics’ most powerful tools

By: Boris Babović

A re-examination of data from the analysis of devices seized from Serbian activists — originally conducted last year by the international organization Amnesty International — reveals that the Cellebrite UFED forensic tool has the capability to selectively delete its own logs or evade logging altogether. This potential manipulation undermines the integrity of the data extraction process and raises serious concerns about the admissibility of such evidence in legal proceedings.

In its December 2024 report, Amnesty International documented a forensic analysis of mobile devices belonging to activists, journalists, and civil society members in Serbia. During their detention by the police or the Security Information Agency, the devices were infected with low-grade spyware (NoviSpy), but access and extraction of data was carried out using UFED, an advanced digital forensics tool developed by the Israeli company Cellebrite. This tool is used in criminal investigations worldwide and was provided to Serbian law enforcement as a donation from the Norwegian Ministry of Foreign Affairs.

For the purposes of this research, data from the infected phones analyzed by Amnesty was re-examined in order to better understand how this advanced forensic technology operates. The focus was specifically on the traces left behind by Cellebrite UFED, and whether its activity can be reliably detected after device security has been breached.

The analysis revealed clear indicators of device exploitation. Log data showed unauthorized modifications to Android Debug Bridge (ADB) and system security settings — evidence of privilege escalation. These changes closely match patterns previously documented by Amnesty International, suggesting the use of an exploit chain capable of bypassing the standard security mechanisms of the Android operating system.

One particularly notable forensic artifact was a binary file identified as Falcon. Although its exact function remains unclear, its presence aligns with previous findings from Amnesty’s report, which hypothesized that Falcon may be used either to deploy a payload or to establish persistent access. However, in the absence of publicly documented cases involving Falcon in other forensic investigations, any conclusions regarding its actual role remain speculative and must be treated with caution.

The next key point of interest was the selective absence of USB exploitation traces. In earlier cases documented by Amnesty, rogue USB devices were used to exploit kernel-level vulnerabilities on Android devices — an approach that typically leaves clear USB enumeration logs. In this case, however, no such logs were found.

What makes this absence particularly significant is the fact that the surrounding system logs remained intact, indicating that the missing logs were not the result of a general logging failure. On the contrary, the evidence points to either selective log deletion or deliberate avoidance of logging during the exploitation process. This suggests that Cellebrite’s methods not only successfully bypass device security measures but also actively obscure traces immediately after the compromise.

Further analysis raised deeper concerns. Several independent studies have identified multiple critical vulnerabilities in UFED, including the use of hardcoded RSA keys and static cryptographic material. These weaknesses potentially allow forensic data that has been extracted to be reaccessed or modified, thereby compromising the integrity of the evidence and breaking the chain of custody.

A detailed timeline analysis of the compromised device revealed events such as APK installation attempts, file system modifications, and device reboots — all of which closely aligned with the sequence described in earlier reports by Amnesty International regarding UFED-based device exploitation. Although the logs contained no direct references to Cellebrite, the alignment of these events strongly suggests the use of the same or a very similar exploit chain.

Tampering with forensic logs may be the most consequential finding of this research. When a forensic tool is capable of deleting or selectively altering records of its own activity, the integrity and transparency of the entire data extraction process are seriously compromised. Such manipulation undermines the reliability of subsequent incident analysis and raises serious concerns about the admissibility of evidence in legal proceedings.

If logging mechanisms can be bypassed or falsified during an investigation, the evidence gathered under such conditions may be challenged or excluded from court. This not only diminishes the evidentiary value of data extracted using Cellebrite UFED, but also calls into question the overall credibility of the tool and its suitability for use in forensic contexts.

The research focused on analyzing system logs from an Android device suspected of being compromised. The primary objective was to determine whether Cellebrite UFED had been used to forcibly access the device and, if so, to reconstruct the sequence of the exploitation process. Forensic data was collected using the Mobile Verification Toolkit (MVT) and Android Quick Forensics (AndroidQF), while additional insights were obtained through ADB commands used to monitor real-time system messages and service states. The findings were then systematically compared against MITRE ATT&CK tactics and cross-verified using relevant vulnerability databases, including CVE and ExploitDB. Particular attention was given to confirming observed patterns in light of Amnesty International’s reporting on UFED activity in Serbia.

Cellebrite UFED has proven to be not merely a tool for bypassing encryption, but an integral part of a sophisticated and adaptive exploitation framework. Its ability to selectively insert or remove forensic traces raises serious concerns about the integrity and reliability of evidence obtained through its use.

For digital forensics to retain its legitimacy as a scientific discipline grounded in objectivity and trust, advanced technical capabilities alone are not sufficient. Transparency, independent oversight, and verifiable extraction methods are essential prerequisites for the use of forensic tools in contexts where evidentiary integrity and legal accountability are of critical importance. After verifying Amnesty’s finding that UFED had been misused to unlawfully access and infect the devices of activists and journalists, Cellebrite announced that it would suspend its services to clients in Serbia. A serious discussion on the ethical and legal implications of oversight and responsibility in the field of digital forensics has yet to begin.