In a chilling revelation that underscores the escalating threat to civil liberties, new research from the Citizen Lab has uncovered compelling evidence that commercial forensic extraction tools, specifically those manufactured by Israeli firm Cellebrite, were deployed against a prominent Kenyan pro-democracy activist. This incident marks yet another entry in a growing dossier of cases where powerful surveillance technology, ostensibly designed for legitimate law enforcement, is being weaponized against civil society.
Cellebrite’s Reach: From Kenyan Activist to Jordanian Defenders
The University of Toronto’s Munk School of Global Affairs & Public Policy, through its interdisciplinary research unit, Citizen Lab, identified indicators of Cellebrite’s technology on the personal Samsung phone of Boniface Mwangi. Mwangi, a vocal pro-democracy advocate with presidential aspirations for 2027, had his device seized while in police custody following an arrest in July 2025. Upon its return nearly two months later, Mwangi discovered his phone inexplicably unlocked, its password protection removed. Citizen Lab’s analysis confidently places the forensic extraction activity on or around July 20-21, 2025.
“The use of Cellebrite could have enabled the full extraction of all materials from Mwangi’s device, including messages, private materials, personal files, financial information, passwords, and other sensitive information,” the Citizen Lab report warned, highlighting the profound privacy implications.
This isn’t an isolated incident. A prior Citizen Lab report detailed similar findings in Jordan, where officials are suspected of using Cellebrite tools to extract data from the phones of activists and human rights defenders. These individuals had been critical of Israel and voiced support for Palestinians in Gaza, their devices confiscated during detentions and interrogations between late 2023 and mid-2025.
Cellebrite, when confronted with these findings, maintained to The Guardian that its technology is deployed “only in accordance with legal due process or with appropriate consent to aid investigations legally after an event has occurred.” However, these documented cases contribute to an alarming trend of misuse by government clients, painting a broader picture of surveillance abuses globally, often involving mercenary spyware like Pegasus and Predator.
Predator Spyware: Angolan Journalist Becomes Latest Victim
Further amplifying these concerns, Amnesty International recently revealed that Intellexa’s sophisticated Predator spyware successfully targeted the iPhone of Teixeira Cândido, a respected Angolan journalist and press freedom advocate. In May 2024, Cândido’s device, running an outdated iOS 16.2, was compromised after he opened a malicious link received via WhatsApp. While the specific exploit remains unknown, the breach granted attackers “unrestricted access” to his iPhone, as confirmed by Amnesty International, marking the first forensically verified instance of Predator targeting civil society in Angola.
Recorded Future had previously noted suspected Predator operations in Angola dating back to 2024, underscoring a persistent threat. Intriguingly, Cândido’s infection lasted less than a day, likely removed by a phone restart. Yet, attackers persisted, attempting 11 re-infection attempts until mid-June 2024, all of which reportedly failed as the links went unopened.
The Sophistication of Predator: A Deep Dive
An analysis by French offensive security firm Reverse Society sheds light on Predator’s advanced capabilities. Described as a commercial spyware product “built for reliable, long-term deployment,” it offers operators real-time control, allowing them to selectively activate or deactivate modules based on target activity. Its sophistication is further evidenced by undocumented anti-analysis mechanisms, including a crash reporter for anti-forensics and SpringBoard hooking to suppress recording indicators when the microphone or camera is active, effectively hiding surveillance from victims.
Moreover, Predator incorporates explicit checks to avoid operating in U.S. and Israeli locales, a common tactic among such tools to evade scrutiny. Jamf Threat Labs researchers Shen Yuan and Nir Avraham noted that these features provide Predator’s operators with “granular visibility into failed deployments,” transforming them from “black boxes into diagnostic events,” enabling continuous refinement of their attack strategies.
The Global Threat to Digital Rights
These incidents serve as stark reminders of the pervasive and evolving threat posed by commercial surveillance technologies. While marketed for national security and law enforcement, their deployment against activists, journalists, and human rights defenders undermines democratic principles, stifles dissent, and erodes fundamental digital rights. The ongoing investigations by organizations like Citizen Lab and Amnesty International are crucial in exposing these abuses and advocating for greater accountability from both the developers of such tools and the governments that wield them.
For more details, visit our website.
Source: Link
Leave a comment