Donncha Ó Cearbhaill

@[email protected]
554 Followers
173 Following
12 Posts

Head of Security Lab at Amnesty International - Hunting spyware and unlawful surveillance targeting activists and civil society.

Pronounced Done-a-ka - He/him

Amnety Security Labhttps://securitylab.amnesty.org
Personal Websitehttps://donncha.is
GitHubhttps://github.com/DonnchaC
Blueskyhttps://bsky.app/profile/donncha.is
Twitterhttps://x.com/DonnchaC/
Keybase@DonnchaC
Donncha Ó Cearbhaill4d ago
Lorenzo Franceschi-Bicchierai4d ago

NEW: Suspected Russian government hackers targeted @DonnchaC, who investigates spyware attacks daily.

Donncha immediately recognized he was being targeted, and he turned the tables on the hackers, exposing a massive spying campaign against Signal users.

"The chance ... was too good to pass up."

https://techcrunch.com/2026/05/14/a-spyware-investigator-exposed-russian-government-hackers-trying-to-hijack-signal-accounts/

A spyware investigator exposed Russian government hackers trying to hijack Signal accounts | TechCrunch

A group of likely Russian government hackers tried to hack a security researcher who investigates spyware attacks. He was then able to turn the tables on the hackers and reveal details of their espionage campaign.

TechCrunch
Show threadDonncha Ó Cearbhaill6d ago

Spyware forensic work has so far relied on incidental logs that were never designed for security analysis and are too often partial and short-lived. Now we have the possibility to detect advanced spyware, exploits and unauthorised physical access, even months after the fact.

Credit to the teams at Google and Android who engaged deeply on this work over the past two years, taking onboard a lot of feedback on what civil society forensic work needs.

We hope this can be a starting point for more proactive efforts to support spyware accountability.

The feature is opt-in for Pixel devices on Android 16+ with Advanced Protection Mode enabled.

As it rolls out beyond Pixel, it should help protect more Android users who are often underserved and cannot afford the most expensive devices.

https://blog.google/security/whats-new-in-android-security-privacy-2026/

What’s New in Android Security and Privacy in 2026

Android elevates mobile security with new AI-powered protections and advanced safeguards to help keep you safe.

Google
Show threadDonncha Ó Cearbhaill6d ago

With our colleagues at RSF's Digital Security Lab (@besendorf) we've also prepared new releases of #MVT and #AndroidQF with support for extracting and analyzing Intrusion Logs for signs of spyware.

Read more in the MVT docs

https://docs.mvt.re/en/latest/android/intrusion_logs/

Check Android Intrusion Logs - Mobile Verification Toolkit

Mobile Verification Toolkit Documentation

Donncha Ó Cearbhaill6d ago

Excited to see Google launch Intrusion Logging, the first purpose-built system to enable forensic investigations of advanced attacks on mobile.

Our team at Amnesty International's Security Lab has worked with Android Security as a design partner during the development of Intrusion Logging and Advanced Protection Mode over the past two years

To help defenders and civil society leverage this tool to further accountability efforts we have released a forensic methodology guide explaining the feature and it's usage.

https://securitylab.amnesty.org/latest/2026/05/android-intrusion-logging-as-a-new-source-of-data-for-consensual-forensic-analysis/

Android Intrusion Logging as a new source of data for consensual forensic analysis  - Amnesty International Security Lab

Google has today announced the launch of a new ‘Android Intrusion Logging’ feature as part of Android Advanced Protection Mode (AAPM). The new intrusion logging feature promises to be a major aid to digital forensics researchers undertaking investigations into sophisticated attacks on Android devices. This is the first time a major device vendor has release […]

Amnesty International Security Lab
Donncha Ó CearbhaillApr 10
Lorenzo Franceschi-BicchieraiApr 8

NEW: A hack-for-hire group targeted victims with Android spyware and with phishing attacks to break into iCloud backups.

The group, codenamed BITTER, has alleged ties with Indian government, and attacked victims in the Middle East and North Africa, including journalists and government officials.

"These operations have become cheaper and it’s possible to evade responsibility, especially since we won’t know who the end customer is, and the infrastructure won’t reveal the entity behind it," said AccessNow's investigator ⁨Mohammed Al-Maskati⁩.

http://techcrunch.com/2026/04/08/hack-for-hire-group-caught-targeting-android-devices-and-icloud-backups/

Hack-for-hire group caught targeting Android devices and iCloud backups | TechCrunch

Security researchers exposed a spying campaign by a hack-for-hire group that used Android spyware and phishing to steal iCloud credentials and hack victims’ devices.

TechCrunch
Donncha Ó CearbhaillApr 10
Lorenzo Franceschi-BicchieraiApr 9

Italian digital rights group Osservatorio Nessuno analyzed a new sample of Spyrtacus, a used by Italian law enforcement and developed by SIO.

The delivery mechanism is the well known "fake ISP support" website and app (APK). That's why they call Spyrtacus "low-cost spyware.

https://osservatorionessuno.org/blog/2026/04/italian-spyware-maker-sio-still-developing-and-distributing-spyrtacus/

Demystifying phone unlocking tools: A technical overview

Demystifying phone unlocking tools: A technical overview

osservatorionessuno.org
Donncha Ó CearbhaillJan 22
RoryJan 22

New: Cellebrite continues to be used to perpetrate human rights abuses. Their UFED device was used to break into the phones of activists in Jordan.

Report from Citizen Lab:

https://citizenlab.ca/research/from-protest-to-peril-cellebrite-used-against-jordanian-civil-society/

Donncha Ó CearbhaillSep 10, 2025
Etienne / TekSep 10, 2025
Spyware installed on Kenyan filmmaker's phones in police custody - Committee to Protect Journalists https://cpj.org/2025/09/spyware-installed-on-kenyan-filmmakers-phones-in-police-custody/
Spyware installed on Kenyan filmmakers' phones in police custody - Committee to Protect Journalists

New York, September 10, 2025—The Committee to Protect Journalists is gravely alarmed by the installation of spyware on two Kenyan filmmakers’ phones while the devices were in police custody, and calls on authorities to drop a case against them and two other filmmakers and ensure that journalists are not further targeted for surveillance. Forensic analysis...

Committee to Protect Journalists
Donncha Ó CearbhaillAug 29, 2025
Zack WhittakerAug 29, 2025

NEW: WhatsApp has fixed a "zero-click" security flaw in its iOS and Mac apps that was being used to stealthily hack into Apple devices. Amnesty said the hacks were part of an "advanced spyware campaign."

WhatsApp tells me they sent fewer than 200 threat notifications to affected users.

https://techcrunch.com/2025/08/29/whatsapp-fixes-zero-click-bug-used-to-hack-apple-users-with-spyware/

WhatsApp fixes 'zero-click' bug used to hack Apple users with spyware | TechCrunch

A spyware vendor was behind a recent campaign that abused a vulnerability in WhatsApp to deliver an exploit capable of hacking into iPhones and Macs.

TechCrunch
Donncha Ó CearbhaillJun 5, 2025
Linux Kernel SecurityJun 5, 2025

Android In-The-Wild: Unexpectedly Excavating a Kernel Exploit

Talk by Seth Jenkins about analyzing the traces of an In-The-Wild exploit that targeted the Qualcomm adsprpc driver.

Based on a previously published article.

Talk: https://www.youtube.com/watch?v=lnK1iACJ3-c
Article: https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html

OffensiveCon25 - Seth Jenkins - Android In-The-Wild: Unexpectedly Excavating a Kernel Exploit

YouTube