Amnesty Worldwide on Friday mentioned it decided {that a} zero-day exploit bought by controversial exploit vendor Cellebrite was used to compromise the cellphone of a Serbian pupil who had been vital of that nation’s authorities.

The human rights group first referred to as out Serbian authorities in December for what it mentioned was its “pervasive and routine use of adware” as a part of a marketing campaign of “wider state management and repression directed in opposition to civil society.” That report mentioned the authorities had been deploying exploits bought by Cellebrite and NSO, a separate exploit vendor whose practices have additionally been sharply criticized over the previous decade. In response to the December report, Cellebrite mentioned it had suspended gross sales to “related clients” in Serbia.

Marketing campaign of surveillance

On Friday, Amnesty Worldwide mentioned that it uncovered proof of a brand new incident. It entails the sale by Cellebrite of an assault chain that might defeat the lock display screen of totally patched Android units. The exploits had been used in opposition to a Serbian pupil who had been vital of Serbian officers. The chain exploited a collection of vulnerabilities in gadget drivers the Linux kernel makes use of to help USB {hardware}.

“This new case offers additional proof that the authorities in Serbia have continued their marketing campaign of surveillance of civil society within the aftermath of our report, regardless of widespread requires reform, from each inside Serbia and past, in addition to an investigation into the misuse of its product, introduced by Cellebrite,” authors of the report wrote.

Amnesty Worldwide first found proof of the assault chain final 12 months whereas investigating a separate incident outdoors of Serbia involving the identical Android lockscreen bypass. Authors of Friday’s report wrote: