Citizen Lab says it found forensic evidence that Cellebrite’s mobile extraction technology was used on a Samsung Android phone belonging to detained Kenyan activist and politician Boniface Mwangi while the device was in police custody in July 2025.
The group warns the case highlights how high-powered forensic tools can be used to access sensitive personal and political data after arrests and device seizures.
Arrest, seizure, and charges
Mwangi is a prominent dissenting voice in Kenya and has publicly announced plans to run for president in the country’s 2027 elections.
Citizen Lab reports that officers from Kenya’s Directorate of Criminal Investigations (DCI) arrested Mwangi at his home on July 19, 2025, then took him to his office in Nairobi, where authorities raided both locations and seized multiple devices.
The report places the arrest within a wider period of protests and allegations of abuses, noting the broader climate of pressure on protesters and civil society.
Two days after the arrest, Mwangi appeared before a special court that handles terrorism and transnational crime matters and was charged under a firearms law, after authorities initially signaled they might pursue terrorism- and money-laundering-related accusations tied to June 2025 protests.
Citizen Lab says the terror-related charges were later dropped following international condemnation, and Mwangi was released on bail while his criminal case remained active at the time of writing.
Citizen Lab says the seized devices were returned to Mwangi on September 4, 2025, and he noticed that password protection on his Samsung phone had been removed even though he says he never provided the password.
After examining artifacts from the returned devices, Citizen Lab reports it found signs that Cellebrite was used on or around July 20–21, 2025, during the period the phone was held by Kenyan police.
A key technical indicator cited in the report traces an application named com.client.appA, which Citizen Lab associates “with high confidence” with Cellebrite’s forensic extraction tooling.
The researchers say such tooling could enable broad extraction of device contents, including messages, private files, financial information, and stored passwords, and they note their analysis of other seized devices in the case is ongoing.
Citizen Lab argues the incident adds to a growing pattern in which Cellebrite-linked capabilities are connected to alleged abuses by government clients, and it questions whether vendor human-rights due diligence and oversight are sufficient in high-risk environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
