it

Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody

Published: (February 18, 2026 at 12:30 PM EST)
4 min read
Source: The Hacker News

Source: The Hacker News

Ravie Lakshmanan – Feb 18 2026 – Mobile Security / Spyware

Sam

New research from the Citizen Lab has found signs that Kenyan authorities used a commercial forensic extraction tool manufactured by Israeli company Cellebrite to break into a prominent dissident’s phone, making it the latest case of abuse of the technology targeting civil society.

The interdisciplinary research unit at the University of Toronto’s Munk School of Global Affairs & Public Policy said it found the indicators on a personal phone belonging to Boniface Mwangi, a Kenyan pro‑democracy activist who has announced plans to run for president in 2027.

Specifically, it has emerged that Cellebrite’s forensic extraction tools were used on his Samsung phone while it was in police custody following his arrest in July 2025. The phone was returned to him nearly two months later, in September, at which point Mwangi found that the device was no longer password‑protected and could be unlocked without a password. It has been assessed with high confidence that Cellebrite’s technology was used on the phone on or around July 20–21, 2025.

“The use of Cellebrite could have enabled the full extraction of all materials from Mwangi’s device, including messages, private materials, personal files, financial information, passwords, and other sensitive information,” the Citizen Lab said.

The latest findings follow a separate report released last month, in which the researchers said officials in Jordan likely used Cellebrite to extract information from the mobile phones of activists and human‑rights defenders who had been critical of Israel and who spoke out in support of Palestinians in Gaza.

Gartner

The devices were seized by Jordanian authorities during detentions, arrests, and interrogations, and subsequently returned to their owners. The documented incidents took place between late 2023 and mid‑2025, the Citizen Lab said.

In response to the findings, a spokesperson for Cellebrite told The Guardian that the company’s technology is used to “access private data only in accordance with legal due process or with appropriate consent to aid investigations legally after an event has occurred.”

The two cases add to a growing body of evidence documenting the misuse of Cellebrite technology by government clients. It also reflects a broader ecosystem of surveillance abuses by various governments around the world to enable highly‑targeted surveillance using mercenary spyware like Pegasus and Predator.

Predator Spyware Targets Angolan Journalist

Predator app screenshot

The development also coincides with another report from Amnesty International, which discovered evidence that the iPhone belonging to Teixeira Cândido, an Angolan journalist and press‑freedom advocate, was successfully targeted by Intellexa’s Predator spyware in May 2024 after he opened an infection link received via WhatsApp.

The iPhone was running iOS 16.2, an outdated version of the operating system with known security issues. It is currently not known what exploit was used to trigger the infection. In multiple reports published last year, Recorded Future revealed that it has observed suspected Predator operations in Angola dating back to 2024.

ThreatLocker

“This is the fir… ” (text truncated in the original source)

Cleaned Markdown Content

“Forensically confirmed case of the Predator spyware being used to target civil society in Angola,” the international human rights organization Amnesty International said.
Source
“Once the spyware was installed, the attacker could gain unrestricted access to Teixeira Cândido’s iPhone.”

“The Predator spyware infection appears to have lasted less than one day, with the infection being removed when Teixeira Cândido’s phone was restarted in the evening of 4 May 2024. From that time until 16 June 2024, the attackers made 11 new attempts to re‑infect the device by sending him new malicious Predator infection links. All of these subsequent attack attempts appear to have failed, likely due to the links simply not being opened.”

Predator spyware illustration

According to an analysis published by French offensive‑security company Reverse Society, Predator is a commercial spyware product “built for reliable, long‑term deployment” and allows operators to selectively enable or disable modules based on target activity, granting them real‑time control over surveillance efforts.

Source: Reverse Society blog – Predator iOS malware surveillance framework (Part 1)

Predator also incorporates several undocumented anti‑analysis mechanisms, including:

  • A crash‑reporter monitoring system for anti‑forensics.
  • SpringBoard hooking to suppress recording indicators when the microphone or camera is activated, illustrating the spyware’s sophistication.
  • Explicit checks to avoid running in U.S. and Israeli locales.

“These findings demonstrate that Predator’s operators have granular visibility into failed deployments, … enabling them to adapt their approaches for specific targets,” Jamf Threat Labs researchers Shen Yuan and Nir Avraham said.
Source
“This error‑code system transforms failed deployments from black boxes into diagnostic events.”

Stay Informed

Found this article interesting? Follow us for more exclusive content:

  • Google News:
  • Twitter:
  • LinkedIn:
0 views
#Cellebrite #Citizen Lab #Kenyan activist #phone forensics #spyware #digital surveillance #civil society #law enforcement abuse #mobile security
View source
Share:
Back to Blog

Related posts

Read more »