A sophisticated surveillance operation utilizing advanced spyware named ‘NoviSpy’ has been uncovered in Serbia, targeting activists, journalists, and protesters. The operation exploited multiple Qualcomm zero-day vulnerabilities to compromise Android devices.
Key Findings:
– The spyware was discovered by Amnesty International’s Security Lab on a journalist’s phone after police custody
– Serbian Security Information Agency (BIA) and police were identified as the operators
– Multiple Qualcomm vulnerabilities were exploited, including CVE-2024-43047
– Targets included journalists, human rights activists, and government critics
Technical Details:
– Six critical vulnerabilities were identified in Qualcomm’s DSP driver (adsprpc):
1. CVE-2024-38402: Use-after-free exploitation
2. CVE-2024-21455: Privilege escalation vulnerability
3. CVE-2024-33060: Race condition vulnerability
4. CVE-2024-49848: Persistent mapping issue
5. CVE-2024-43047: Memory corruption vulnerability
6. An unnamed KASLR bypass vulnerability
Attack Method:
– Initial compromise through zero-click attacks using Android calling features
– Exploitation of Voice-over-Wifi and VoLTE functionality
– Device infection during physical custody using Cellebrite unlocking tools
– Kernel-level persistence achieved through exploit chain
Impact:
– Potentially hundreds of Android devices compromised in Serbia
– Affects millions of devices worldwide using Qualcomm chipsets
– Most vulnerabilities patched by September 2024
– Final patch for CVE-2024-49848 expected in January 2025