Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody: Surveillance Concerns Rise
Kenyan Authorities Used Commercial Forensic Tool to Extract Data from Activist’s Phone
A recent investigation by the Citizen Lab has revealed that Kenyan authorities utilized a commercial forensic extraction tool to access the mobile phone of a prominent dissident while it was in police custody. The tool, manufactured by Israeli company Cellebrite, was used to break into the phone of Boniface Mwangi, a Kenyan pro-democracy activist who has announced plans to run for president in 2027.
Investigation Findings
The Citizen Lab, an interdisciplinary research unit at the University of Toronto’s Munk School of Global Affairs & Public Policy, found evidence that Cellebrite’s forensic extraction tools were used on Mwangi’s Samsung phone in July 2025, while it was in police custody. The phone was returned to Mwangi nearly two months later, in September, with the password protection removed.
Implications of the Use of Cellebrite’s Technology
The use of Cellebrite’s technology could have enabled the full extraction of all materials from Mwangi’s device, including messages, private materials, personal files, financial information, passwords, and other sensitive information. This is not the first instance of Cellebrite’s technology being used to target civil society. A separate report released last month found that officials in Jordan likely used Cellebrite to extract information from the mobile phones of activists and human rights defenders who had been critical of Israel and spoke out in support of Palestinians in Gaza.
Broader Ecosystem of Surveillance Abuses
The misuse of Cellebrite technology by government clients is part of a broader ecosystem of surveillance abuses by various governments around the world. This ecosystem enables highly-targeted surveillance using mercenary spyware like Pegasus and Predator.
Related Development: Amnesty International’s Discovery
In a related development, Amnesty International discovered evidence that the iPhone belonging to Teixeira Cândido, an Angolan journalist and press freedom advocate, was successfully targeted by Intellexa’s Predator spyware in May 2024. The iPhone was running iOS 16.2, an outdated version of the operating system with known security issues. The Predator spyware infection appears to have lasted less than one day, with the infection being removed when Teixeira Cândido’s phone was restarted.
The Predator spyware product is built for reliable, long-term deployment and allows operators to selectively enable or disable modules based on target activity, granting them real-time control over surveillance efforts. It also incorporates various undocumented anti-analysis mechanisms, including a crash reporter monitoring system for anti-forensics and SpringBoard hooking to suppress recording indicators from victims when the microphone or camera is activated.
Conclusion
The findings demonstrate that Predator’s operators have granular visibility into failed deployments, enabling them to adapt their approaches for specific targets. The use of commercial spyware products like Predator and Cellebrite’s forensic extraction tools highlights the need for greater transparency and accountability in the use of surveillance technologies by governments around the world.
About Author
English