A new study by Citizen Lab has found evidence that Kenyan authorities used a commercial forensic extraction tool made by Israeli company Celebrite to hack into the mobile phones of prominent dissidents, the latest incident of technology abuse targeting civil society.
The Interdisciplinary Research Unit at the University of Toronto’s Munk School of International Affairs and Public Policy announced that it discovered these indicators on the personal cellphone of Boniface Mwangi, a Kenyan pro-democracy activist who has announced plans to run for president in 2027.
Specifically, Cellebrite’s forensic extraction tool was found to have been used on a Samsung mobile phone that was in police custody following his arrest in July 2025.
The phone was returned to him almost two months later in September, at which point Mwangi realized it was not password protected and could be unlocked without the need for a password. Cellebrite’s technology has been rated with high reliability for use in phones on or about July 20 and July 21, 2025.
“Cellebrite could have been used to completely extract all materials from Mwangi’s devices, including messages, private materials, personal files, financial information, passwords, and other sensitive information,” Citizen Lab said.
The latest findings follow another report released last month, in which researchers said Jordanian authorities likely used Cerebrite to extract information from the cellphones of activists and human rights defenders who criticized Israel and expressed support for Palestinians in Gaza.
The devices were seized by Jordanian authorities during detention, arrest, and interrogation, and subsequently returned. According to Citizen Lab, the documented incidents occurred between late 2023 and mid-2025.
In response to the findings, a spokesperson for Celebrite told the Guardian that the company’s technology is only used to “access personal data in accordance with legal due process or with appropriate consent to legally assist investigations after an incident has occurred.”
These two incidents add to the body of evidence documenting the misuse of Cellebrite technology by government customers. It also reflects a broader ecosystem of surveillance abuses by various governments around the world, using mercenary spyware such as Pegasus and Predator to enable targeted surveillance.
Predator spyware targeting Angolan journalists
This development is consistent with another Amnesty International report that found evidence that the iPhone of Angolan journalist and press freedom advocate Teixeira Candido was targeted by Intellexa’s Predator spyware after opening an infected link received via WhatsApp in May 2024.
The iPhone was running iOS 16.2. This is an older version of the operating system with known security issues. At this time, it is unknown what exploit was used to cause the infection. In multiple reports published last year, Recorded Future revealed that it had observed suspected Predator operations in Angola dating back to 2024.
“This is the first forensically confirmed use of the Predator spyware to target Angola’s civil society,” the international human rights organization said. “Once the spyware is installed, the attacker has unrestricted access to Teixeira Cândido’s iPhone.”
“The Predator spyware infection appears to have lasted less than a day, and was removed when Teixeira Candido’s phone was restarted on the evening of May 4, 2024. From that point until June 16, 2024, the attackers attempted to reinfect his device by sending him new malicious Predator infection links 11 It appears that all of these subsequent attack attempts failed, perhaps because the link was simply not opened.
According to an analysis published by French offensive security firm Reverse Society, Predator is a commercial spyware product “built for reliable, long-term deployment” that allows operators to selectively enable or disable modules based on target activity, giving them real-time control over surveillance activities.
Predator was also found to include a variety of undocumented analysis prevention mechanisms, including a crash reporter monitoring system for forensic countermeasures and a SpringBoard hook to suppress recording indicators from victims when microphones and cameras are activated, demonstrating the sophistication of the spyware. Additionally, there are explicit checks to avoid running in US and Israeli locales.
“These findings demonstrate that Predator operators have detailed visibility into failed deployments. […] “This error code system transforms failed deployments from black boxes to diagnostic events,” said Jamf Threat Labs researchers Shen Yuan and Nir Avraham.
Source link
