The emergence of a new Android spyware named NoviSpy has drawn global attention, revealing how critical vulnerabilities in Qualcomm chipsets were exploited to target journalists, activists, and dissidents. Amnesty International’s Security Lab uncovered the spyware in collaboration with Google’s Threat Analysis Group (TAG), shedding light on the Serbian government’s alleged involvement in deploying this tool for surveillance.
Unveiling NoviSpy: A Surveillance Tool
NoviSpy leverages a zero-day vulnerability, identified as CVE-2024-43047, within Qualcomm’s DSP (Digital Signal Processor) driver. This critical flaw was flagged by Google Project Zero in October 2024 as actively exploited, with a patch released for Android devices in November 2024. According to Amnesty International, NoviSpy was deployed by Serbian authorities, including the Security Information Agency (BIA), to monitor and suppress dissent.
The spyware was first discovered on the phone of Slaviša Milanov, an independent journalist detained during a routine traffic stop in February 2024. Milanov noticed his phone behaving abnormally after being returned by police, prompting an analysis by Amnesty International’s Security Lab.
How NoviSpy Exploits Zero-Days
Forensic analysis revealed that the spyware exploits vulnerabilities in Qualcomm’s adsprpc driver, enabling it to bypass Android security mechanisms and persist at the kernel level. Researchers hypothesize that NoviSpy operates through a complex exploit chain, targeting multiple vulnerabilities in Qualcomm’s architecture.
Some of the uncovered flaws include:
CVE-2024-38402: A use-after-free (UAF) issue that allows kernel space exploitation.
CVE-2024-21455: Mishandling of user-controlled pointers, enabling privilege escalation.
CVE-2024-33060: A race condition exposing kernel memory to corruption.
CVE-2024-49848: Improper reference handling in persistent mappings.
CVE-2024-43047: Overlapping memory mappings leading to memory corruption.
Unassigned CVE: Kernel address space layout randomization (KASLR) bypass.
Google confirmed that CVE-2024-43047 had been exploited and suggested other vulnerabilities may also be part of the attack chain.
Deployment of NoviSpy in Serbia
Amnesty International’s investigation indicates that NoviSpy was used by Serbian authorities after unlocking target phones with Cellebrite’s tools. Cellebrite reportedly exploited Qualcomm vulnerabilities to gain unauthorized access to Android devices during physical custody.
The spyware’s configuration files and communication logs tied its activity to Serbian government agencies. It specifically targeted:
Journalists, such as Slaviša Milanov.
Human rights activists, including members of the NGO Krokodil.
Dissidents critical of government policies.
Evidence suggests NoviSpy has been installed on dozens, if not hundreds, of devices in Serbia. The initial compromise involved zero-click exploits, using Rich Communication Suite (RCS) protocols like VoLTE (Voice-over-LTE) or VoWiFi (Voice-over-WiFi). Attackers manipulated these features to deliver malicious payloads through invalid, long-digit phone calls.
Google’s Role in Addressing the Threat
Amnesty International provided Google TAG with kernel panic logs and exploit artifacts, enabling Google to identify six vulnerabilities in Qualcomm’s adsprpc driver. These discoveries revealed systemic flaws in millions of Android devices powered by Qualcomm chipsets.
Despite Google’s efforts to address these issues, Qualcomm faced criticism for delayed patches:
CVE-2024-49848 and CVE-2024-21455 exceeded the 90-day disclosure timeline.
A patch for CVE-2024-49848 is expected in January 2025, long after Google flagged the vulnerability.
Qualcomm issued a statement acknowledging these concerns, emphasizing its commitment to robust security. The company encouraged users to apply updates from device manufacturers promptly.
A Broader Implication: Security and Ethics
The NoviSpy incident underscores the critical need for:
Timely Patch Deployment: Delays in addressing zero-day vulnerabilities expose millions of users to heightened risks.
Strong Security Practices: Governments and companies must adopt ethical practices when leveraging tools like Cellebrite for legitimate purposes.
Proactive Measures: Enhanced scrutiny of hardware and software vulnerabilities is essential to safeguard users.
The use of spyware to target journalists and activists raises serious ethical questions about surveillance in democratic societies. It highlights the delicate balance between law enforcement needs and protecting civil liberties.
Qualcomm’s Response and Future Mitigations
In response to the exposed vulnerabilities, Qualcomm released fixes for most issues by September 2024, with others scheduled for early 2025. The company reiterated its commitment to working closely with researchers to ensure a secure ecosystem for Android devices.
Conclusion
The NoviSpy case sheds light on the intersection of state surveillance and cybersecurity vulnerabilities. As technology advances cybersecurity, safeguarding digital privacy becomes more urgent. Collaboration between organizations like Amnesty International, Google, and hardware manufacturers is pivotal in identifying and mitigating these threats.
The exploitation of zero-day vulnerabilities in this incident underscores the importance of holding governments and corporations accountable for ethical cybersecurity practices. For users, it serves as a stark reminder to stay vigilant, keep devices updated, and advocate for greater transparency in the digital age.