News

Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody

February 18, 2026

·

by

NEWS

New research from the Citizen Lab has found signs that Kenyan authorities used a commercial forensic extraction tool manufactured by Israeli company Cellebrite to break into a prominent dissident’s phone, making it the latest case of abuse of the technology targeting civil society.

The interdisciplinary research unit at the University of Toronto’s Munk School of Global Affairs & Public Policy said it found the indicators on a personal phone belonging to Boniface Mwangi, a Kenyan pro-democracy activist who has announced plans to run for president in 2027.

Specifically, it has emerged that Cellebrite’s forensic extraction tools were used on his Samsung phone while it was in police custody following his arrest in July 2025.

The phone was returned to him nearly two months later, in September, at which point Mwangi found that the phone was no longer password-protected and could be unlocked without requiring a password. It’s been assessed with high confidence that Cellebrite’s technology was used on the phone on or around July 20 and July 21, 2025.

“The use of Cellebrite could have enabled the full extraction of all materials from Mwangi’s device, including messages, private materials, personal files, financial information, passwords, and other sensitive information,” the Citizen Lab said.

The latest findings follow a separate report released last month, in which the researchers said officials in Jordan likely used Cellebrite to extract information from the mobile phones of activists and human rights defenders who had been critical of Israel and spoke out in support of Palestinians in Gaza.

The devices were seized by Jordanian authorities during detentions, arrests, and interrogations, and subsequently returned to them. The documented incidents took place between late 2023 and mid-2025, the Citizen Lab said.

In response to the findings, a spokesperson for Cellebrite told The Guardian that the company’s technology is used to “access private data only in accordance with legal due process or with appropriate consent to aid investigations legally after an event has occurred.”

The two cases add to a growing body of evidence documenting the misuse of Cellebrite technology by government clients. It also reflects a broader ecosystem of surveillance abuses by various governments around the world to enable highly-targeted surveillance using mercenary spyware like Pegasus and Predator.

Predator Spyware Targets Angolan Journalist

The development also coincides with another report from Amnesty International, which discovered evidence that the iPhone belonging to Teixeira Cândido, an Angolan journalist and press freedom advocate, was successfully targeted by Intellexa’s Predator spyware in May 2024 after he opened an infection link received via WhatsApp.

The iPhone was running iOS 16.2, an outdated version of the operating system with known security issues. It’s currently not known what exploit was used to trigger the infection. In multiple reports published last year, Recorded Future revealed that it has observed suspected Predator operations in Angola dating back to 2024.

“This is the first forensically confirmed case of the Predator spyware being used to target civil society in Angola,” the international human rights organization said. “Once the spyware was installed, the attacker could gain unrestricted access to Teixeira Cândido’s iPhone.”

“The Predator spyware infection appears to have lasted less than one day, with the infection being removed when Teixeira Cândido’s phone was restarted in the evening of 4 May 2024. From that time until 16 June 2024, the attackers made 11 new attempts to re-infect the device by sending him new malicious Predator infection links. All of these subsequent attack attempts appear to have failed, likely due to the links simply not being opened.”

According to an analysis published by French offensive security company Reverse Society, Predator is a commercial spyware product “built for reliable, long-term deployment” and allows operators to selectively enable or disable modules based on target activity, granting them real-time control over surveillance efforts.

Predator has also been found to incorporate various undocumented anti-analysis mechanisms, including a crash reporter monitoring system for anti-forensics and SpringBoard hooking to suppress recording indicators from victims when the microphone or camera is activated, illustrating the sophistication of the spyware. On top of that, it has explicit checks to avoid running in U.S. and Israeli locales.

“These findings demonstrate that Predator’s operators have granular visibility into failed deployments, […] enabling them to adapt their approaches for specific targets,” Jamf Threat Labs researchers Shen Yuan and Nir Avraham said. “This error code system transforms failed deployments from black boxes into diagnostic events.”