A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit developed by Cellebrite to unlock the device, according to a new report from Amnesty International.
“The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite,” the international non-governmental organization said, adding the traces of the exploit were discovered in a separate case in mid-2024.
The vulnerability in question is CVE-2024-53104 (CVSS score: 7.8), a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. A patch for the flaw was addressed in the Linux kernel in December 2024. It was subsequently addressed in Android earlier this month.
It’s believed that CVE-2024-53104 was combined with two other flaws – CVE-2024-53197 and CVE-2024-50302 – both of which have been resolved in the Linux kernel. They are yet to be included in an Android Security Bulletin.
- CVE-2024-53197 (CVSS score: N/A) – An out-of-bounds access vulnerability for Extigy and Mbox devices
- CVE-2024-50302 (CVSS score: 5.5) – A use of an uninitialized resource vulnerability that could be used to leak kernel memory
“The exploit, which targeted Linux kernel USB drivers, enabled Cellebrite customers with physical access to a locked Android device to bypass an Android phone’s lock screen and gain privileged access on the device,” Amnesty said.
“This case highlights how real-world attackers are exploiting Android’s USB attack surface, taking advantage of the broad range of legacy USB kernel drivers supported in the Linux kernel.”
The activist, who has been given the name “Vedran” to protect their privacy, was taken to a police station and his phone confiscated on December 25, 2024, after he attended a student protest in Belgrade.
Amnesty’s analysis found that the exploit was used to unlock his Samsung Galaxy A32 and that the authorities attempted to install an unknown Android application. While the exact nature of the Android app remains unclear, the modus operandi is consistent with that of prior NoviSpy spyware infections reported in mid-December 2024.
Earlier this week, Cellebrite said its tools are not designed to facilitate any type of offensive cyber activity and that it works actively to curtail the misuse of its technology.
The Israeli company also said it will no longer allow Serbia to use its software, stating “we found it appropriate to stop the use of our products by the relevant customers at this time.”
