Serbian Government Linked to NoviSpy Spyware Exploiting Qualcomm Zero-Day Vulnerabilities

December 16, 2024

The Serbian government has been accused of exploiting Qualcomm zero-day vulnerabilities to infect Android devices with a new spyware named 'NoviSpy,' which has been used to spy on activists, journalists, and protestors. The spyware was discovered by Amnesty International's Security Lab on the phone of a journalist after it was returned by the police. The phone had been behaving oddly, with the data and wi-fi settings turned off, which prompted the journalist to contact Amnesty International's Security Lab.

The researchers subsequently provided Google's Threat Analysis Group (TAG) with exploit artifacts, which led to the discovery of the flaws in Qualcomm's DSP (Digital Signal Processor) driver, which is used for offloading multimedia processing to the DSP core. The evidence suggests that NoviSpy employs an exploit chain to bypass Android security mechanisms and install itself persistently at the kernel level.

Amnesty International reports that NoviSpy was deployed by the Serbian Security Information Agency (BIA) and the Serbian police after the devices were unlocked using the Cellebrite unlocking tools during physical custody. Forensic evidence on tampered devices suggests that Cellebrite exploited Qualcomm zero-days to unlock Android phones. The spyware communicated with servers on IP ranges tied directly to BIA. The targets of the spyware include journalists, human rights activists, and government dissidents.

Amnesty International believes that NoviSpy was installed on dozens, if not hundreds, of Android devices in Serbia over the last few years. The initial compromise appears to have involved a zero-click attack leveraging Android calling features such as Voice-over-Wifi or Voice-over-LTE (VoLTE) functionality. These features were active on the compromised devices and used as part of the Rich Communication Suite (RCS) calling.

Google's TAG received kernel panic logs generated by exploits captured by Amnesty International and identified six vulnerabilities in Qualcomm's adsprpc driver, used in millions of Android devices. Google researchers confirmed the exploitation of CVE-2024-43047 and hypothesize that the rest were exploited in a complex attack chain. At the time of writing, Qualcomm has not released a patch for CVE-2024-49848, despite Google having reported the issue to them 145 days back. Google also noted that Qualcomm delayed patching CVE-2024-49848 and CVE-2024-21455 over the industry-standard period of 90 days.

A spokesperson for Qualcomm stated: "Developing technologies that endeavor to support robust security and privacy is a priority for Qualcomm Technologies," and added that fixes have been made available to their customers as of September 2024. The company also mentioned that a fix for CVE-2024-49848 has been developed and is going through its disclosure process, with a security bulletin coming soon.

Related News

• ToxicPanda Android Botnet Attacks Banks in Europe and Latin America
• Google Addresses Two Actively Exploited Android Zero-Days in November Security Updates
• Qualcomm Addresses High-Risk Zero-Day Vulnerability in DSP Service

Latest News

• Clop Ransomware Gang Admits to Cleo Data Breach Attacks
• Cleo MFT Zero-Day Exploits Set to Surge: Cleopatra Backdoor and Ransomware Campaigns in Focus
• Russian Cyber-Espionage Group Turla Uses Other Hackers' Infrastructure to Target Ukraine Military Devices
• Ivanti Addresses Critical Vulnerabilities in its Cloud Services Appliance Solution
• Microsoft Resolves 72 Security Flaws, Including an Actively Exploited CLFS Vulnerability