Citizen Lab Finds Cellebrite Device Used on Kenyan Activist’s Phone in Police Custody
A new study from Citizen Lab has found signs that Kenyan authorities are using a commercial surveillance tool developed by Israeli company Cellebrite to hack into a dissident’s phone, making it the latest case of technology abuse targeting the public.
An interdisciplinary research unit at the University of Toronto, the Munk School of Global Affairs & Public Policy said it found clues in the phone call of Boniface Mwangi, a Kenyan pro-democracy activist who has announced plans to run for president in 2027.
Specifically, it emerged that Cellebrite’s recording tools were used on his Samsung phone while he was in police custody following his July 2025 arrest.
The phone was returned to him about two months later, in September, which is when Mwangi discovered that the phone was no longer secure and could be unlocked without needing a phone number. It has been tested with high confidence that Cellebrite technology was used on the phone on July 20 or July 21, 2025.
“The use of Cellebrite would have resulted in the complete removal of all material from Mwangi’s device, including messages, private items, personal files, financial information, passwords, and other sensitive information,” Citizen Lab said.
The latest findings follow a separate report released last month, in which researchers said Jordanian officials may have used Cellebrite to extract information from the cellphones of activists and human rights defenders who criticized Israel and expressed support for the Palestinians in Gaza.
The equipment seized by the Jordanian authorities during their arrests, detentions, and interrogations was returned to them. The documented incidents occurred between 2023 and mid-2025, Citizen Lab said.
In response to the findings, a spokesperson for Cellebrite told the Guardian that the company’s technology is used “to access private data only in accordance with due process of law or with appropriate consent to facilitate legal investigations after an event has occurred.”
These two cases add to a growing body of evidence documenting the misuse of Cellebrite’s technology by government customers. It also features an extensive ecosystem of surveillance abuse by various governments around the world to enable highly targeted surveillance using mercenary spies such as Pegasus and Predator.
Predator Spyware Targets Angolan Journalist
This development also coincides with another report from Amnesty International, which found evidence that the iPhone of Teixeira Cândido, an Angolan journalist and press freedom advocate, was successfully identified by Intellixa’s Predator spyware in May 2024 after opening an infection link received through WhatsApp.
The iPhone was running iOS 16.2, an older version of the operating system with known security issues. It is currently unknown what exploit was used to cause the infection. In several reports published last year, Record Future revealed that it saw the operation of Predator in Angola from 2024.
“This is the first legally confirmed case of Predator spyware being used to target the Angolan population,” the international human rights group said. “Once the spyware is installed, an attacker can gain unrestricted access to Teixeira Cândido’s iPhone.”
“The Predator spyware infection seems to have lasted less than one day, the infection was removed when Teixeira Cândido’s phone was restarted on the night of May 4, 2024. From that time until June 16, 2024, the attackers made 11 new attempts to re-infect the device with new messages. The links just don’t open.”
According to an analysis published by the French offensive security company Reverse Society, Predator is a commercial spyware product “designed for reliable, long-term deployment” and allows operators to choose to enable or disable modules based on target activity, giving them real-time control over surveillance efforts.
Predator was also found to include various undocumented anti-analytics methods, including an anti-forensics crash reporter monitoring system and a SpringBoard hook to suppress recording signals from victims when a microphone or camera is activated, indicating the sophistication of the spyware. In addition, it has clear checks to avoid operating in US and Israeli territories.
“These findings show that Predator operators have granular visibility into failed shipments, […] allowing them to change their methods to achieve specific objectives,” said Jamf Threat Labs researchers Shen Yuan and Nir Avraham. “This error code system transforms failed deployments from black boxes to diagnostic events.”
