Citizen Lab finds evidence Kenyan police used Cellebrite forensic tools on activist Boniface Mwangi's phone while in custody, marking another documented case of commercial surveillance technology abuse against civil society.
New research from the Citizen Lab has uncovered evidence that Kenyan authorities used Cellebrite's commercial forensic extraction tools to access the phone of Boniface Mwangi, a prominent Kenyan pro-democracy activist, while it was in police custody following his July 2025 arrest.
The interdisciplinary research unit at the University of Toronto's Munk School of Global Affairs & Public Policy discovered indicators that Cellebrite technology was deployed on Mwangi's Samsung device on or around July 20-21, 2025. When Mwangi received his phone back in September, he found it no longer required a password to unlock—a clear sign that forensic extraction tools had been used.
"The use of Cellebrite could have enabled the full extraction of all materials from Mwangi's device, including messages, private materials, personal files, financial information, passwords, and other sensitive information," the Citizen Lab stated in its report.
This incident represents the latest documented case of commercial surveillance technology being misused against civil society. The findings follow a separate Citizen Lab report from January 2026 that revealed Jordanian authorities likely used Cellebrite tools to extract data from activists' and human rights defenders' phones between late 2023 and mid-2025.
In response to these revelations, a Cellebrite spokesperson told The Guardian that the company's technology is used "to access private data only in accordance with legal due process or with appropriate consent to aid investigations legally after an event has occurred."
These cases add to a growing body of evidence documenting the misuse of commercial surveillance tools by government clients. The pattern reflects a broader ecosystem where governments employ sophisticated spyware like Pegasus and Predator for targeted surveillance operations.
Predator Spyware Targets Angolan Journalist
The Citizen Lab's findings coincide with another significant surveillance case uncovered by Amnesty International. Researchers discovered that Teixeira Cândido, an Angolan journalist and press freedom advocate, had his iPhone successfully targeted by Intellexa's Predator spyware in May 2024.
The infection occurred after Cândido opened a malicious link received via WhatsApp. His iPhone was running iOS 16.2, an outdated version with known security vulnerabilities. While the specific exploit used remains unknown, the attack demonstrates how commercial spyware vendors continue to target civil society figures.
"This is the first forensically confirmed case of the Predator spyware being used to target civil society in Angola," Amnesty International reported. Once installed, the spyware granted attackers unrestricted access to Cândido's device.
Interestingly, the initial infection lasted less than one day. After Cândido restarted his phone on the evening of May 4, 2024, attackers made 11 subsequent attempts to re-infect the device by sending new malicious links. All these attempts failed, likely because Cândido did not open the links.
Technical Sophistication of Predator
Analysis by French offensive security company Reverse Society reveals that Predator is designed for "reliable, long-term deployment" and includes sophisticated anti-analysis mechanisms. The spyware can selectively enable or disable modules based on target activity, giving operators granular control over surveillance operations.
Key technical features include:
- A crash reporter monitoring system for anti-forensics
- SpringBoard hooking to suppress recording indicators when microphone or camera is activated
- Explicit checks to avoid running in U.S. and Israeli locales
- An error code system that transforms failed deployments into diagnostic events
"These findings demonstrate that Predator's operators have granular visibility into failed deployments, enabling them to adapt their approaches for specific targets," said Jamf Threat Labs researchers Shen Yuan and Nir Avraham.
The sophistication of these commercial surveillance tools raises serious concerns about the growing market for digital espionage capabilities and their potential misuse against journalists, activists, and human rights defenders worldwide.
As governments increasingly turn to commercial vendors for surveillance capabilities, the need for stronger oversight and accountability mechanisms becomes more urgent. The documented cases in Kenya and Angola highlight how commercial spyware and forensic tools, originally designed for legitimate law enforcement purposes, can be repurposed to undermine democratic freedoms and privacy rights.
Comments
Please log in or register to join the discussion