According to Amnesty International, Google has resolved previously unknown vulnerabilities in Android that allowed authorities to access phones using forensic tools.

On Friday, Amnesty International released a report detailing a series of three zero-day vulnerabilities developed by the phone-unlocking company Cellebrite. These vulnerabilities were discovered by Amnesty’s researchers after investigating the hacking of a student protester’s phone in Serbia. The flaws were found in the core Linux USB kernel, which means that “the vulnerability is not limited to a specific device or vendor and could affect over a billion Android devices,” according to the report.

Zero-day vulnerabilities refer to bugs in products that are unknown to the software or hardware manufacturers when they are discovered. These vulnerabilities enable criminal and government hackers to break into systems more effectively because there are no patches available to fix them yet.

Amnesty stated that it initially discovered one of the flaws in mid-2024 and later, after investigating the hacking of a student activist in Serbia, shared its findings with Google’s anti-hacking unit, the Threat Analysis Group. This led Google’s researchers to identify and fix the three separate flaws.

During the investigation into the activist’s phone, Amnesty researchers found a USB exploit that allowed Serbian authorities to use Cellebrite tools to unlock the activist’s phone.

When contacted for comment, a Cellebrite spokesperson, Victor Cooper, referred to a statement published by the company earlier in the week.

In December, Amnesty reported that it had found two cases where Serbian authorities used Cellebrite forensic tools to unlock the phones of an activist and a journalist and then install an Android spyware known as Novispy. Earlier this week, Cellebrite announced that it had suspended its Serbian customer from using its technology following allegations of abuse uncovered by Amnesty.

“After reviewing the allegations presented in the December 2024 Amnesty International report, Cellebrite took steps to investigate each claim in accordance with our ethics and integrity policies. We found it necessary to suspend the use of our products by the relevant customers at this time,” Cellebrite stated in its report.

In its new report, Amnesty stated that it was contacted in January to analyze the device of a youth activist arrested by the Serbian Security Information Agency (Bezbedonosno-informativna agencija or BIA) at the end of last year.

“The circumstances of his arrest and the behavior of the BIA officers strongly matched the modus operandi used against protesters, which we documented in our December report. A forensic investigation of the device conducted in January confirmed the use of Cellebrite on the student activist’s phone,” Amnesty wrote.

Similar to other cases, the authorities used a Cellebrite device to unlock the activist’s Samsung A32 phone without his knowledge or consent and outside a legally sanctioned investigation, according to Amnesty.

“The routine use of Cellebrite software against individuals for exercising their rights to freedom of expression and peaceful assembly can never be a legitimate aim and is therefore a violation of human rights law,” Amnesty wrote.

Bill Marczak, a senior researcher at Citizen Lab, a digital rights organization that investigates spyware, wrote on X that activists, journalists, and members of civil society “who might have their phone seized by authorities (during a protest, at a border, etc.) should consider switching to an iPhone” due to these vulnerabilities.

Referring to Cellebrite’s tools, Donncha Ó Cearbhaill, the head of Amnesty’s Security Lab, told TechCrunch that “the widespread availability of such tools leaves me concerned that we are just beginning to scratch the surface of the harm caused by these products.”

Google did not immediately respond to a request for comment.