Researchers have uncovered a new spyware called NoviSpy, linked to the Serbian government. The spyware exploits Qualcomm’s zero-day vulnerabilities to infiltrate Android devices. Amnesty International’s Security Lab discovered the spyware deployed against journalists, activists, and dissidents following reports of suspicious phone activity.
One critical flaw, CVE-2024-43047, was flagged as an actively exploited zero-day by Google Project Zero in October 2024. Amnesty’s investigation revealed that Serbian authorities allegedly used Cellebrite tools to unlock phones physically, exploiting Qualcomm vulnerabilities to install NoviSpy at the kernel level, enabling persistent surveillance.
Key findings include the following:
- Exploitation Chain: Evidence suggests that zero-click attacks can compromise devices using Android calling features like VoLTE and Wi-Fi calling.
- Targeted Individuals: Journalists, NGO members, and activists were among the spyware’s victims, and forensic analysis suggests dozens to hundreds of compromised devices.
- Unpatched Vulnerabilities: Google identified six flaws in Qualcomm’s adsprpc driver, including critical privilege escalation and memory corruption vulnerabilities. While most were patched, CVE-2024-49848 remains unaddressed.
Qualcomm confirmed fixes for several issues, released as part of updates in September 2024, but acknowledged delays in addressing some vulnerabilities. A patch for CVE-2024-49848 is expected in January 2025.
Amnesty International emphasized the profound implications for human rights, with NoviSpy exemplifying how surveillance tools can undermine civil liberties and freedom of expression.
