A recent report from Amnesty International reveals that a 23-year-old Serbian youth activist’s Android phone was targeted by a zero-day exploit developed by Cellebrite, allowing the device to be unlocked.
According to the international non-governmental organization, “the Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite.” The traces of the exploit were discovered in a separate case in mid-2024, as stated in their report.
The vulnerability in question is identified as CVE-2024-53104 (CVSS score: 7.8), which is a case of privilege escalation in the kernel component known as the USB Video Class (UVC) driver. A patch for this flaw was addressed in the Linux kernel in December 2024 and was subsequently addressed in Android earlier this month.
It is believed that CVE-2024-53104 was combined with two other flaws, namely CVE-2024-53197 and CVE-2024-50302, both of which have been resolved in the Linux kernel but are yet to be included in an Android Security Bulletin.
- CVE-2024-53197 (CVSS score: N/A) – An out-of-bounds access vulnerability for Extigy and Mbox devices
- CVE-2024-50302 (CVSS score: 5.5) – A use of an uninitialized resource vulnerability that could be used to leak kernel memory
Amnesty International stated that “the exploit, which targeted Linux kernel USB drivers, enabled Cellebrite customers with physical access to a locked Android device to bypass an Android phone’s lock screen and gain privileged access on the device.” Furthermore, they noted that “this case highlights how real-world attackers are exploiting Android’s USB attack surface, taking advantage of the broad range of legacy USB kernel drivers supported in the Linux kernel.”
The activist, given the name “Vedran” to protect their identity, had their phone confiscated by the police on December 25, 2024, after attending a student protest in Belgrade.
Amnesty’s analysis revealed that the exploit was used to unlock Vedran’s Samsung Galaxy A32, and the authorities attempted to install an unknown Android application. Although the exact nature of the Android app remains unclear, the modus operandi is consistent with that of prior NoviSpy spyware infections reported in mid-December 2024.
Cellebrite stated that its tools are not designed to facilitate any type of offensive cyber activity and that it works actively to curtail the misuse of its technology. The Israeli company also announced that it will no longer allow Serbia to use its software, stating “we found it appropriate to stop the use of our products by the relevant customers at this time.”
