Amnesty Finds Cellebrite’s Zero-Day Used to Unlock Serbian Activist’s Android Phone - The Hacker News

Amnesty Finds Cellebrite’s Zero-Day Used to Unlock Serbian Activist’s Android Phone Ravie LakshmananFeb 28, 2025Mobile Security / Zero-Day A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit developed by Cellebrite to unlock the device, according to a new report from Amnesty International. "The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite," the international non-governmental organization said, adding traces of the exploit were discovered in a separate case in mid-2024. The vulnerability in question is CVE-2024-53104 (CVSS score: 7.8), a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. A patch for the flaw was released for the Linux kernel in December 2024. It was subsequently addressed in Android earlier this month. It's believed that CVE-2024-53104 was combined with two other flaws – CVE-2024-53197 and CVE-2024-50302 – both of which have been resolved in the Linux kernel. They are yet to be included in an Android Security Bulletin. CVE-2024-53197 (CVSS score: N/A) - An out-of-bounds access vulnerability for Extigy and Mbox devices CVE-2024-50302 (CVSS score: 5.5) - A use of an uninitialized resource vulnerability that could be used to leak kernel memory "The exploit, which targeted Linux kernel USB drivers, enabled Cellebrite customers with physical access to a locked Android device to bypass an Android phone's lock screen and gain privileged access on the device," Amnesty said. "This case highlights how real-world attackers are exploiting Android's USB attack surface, taking advantage of the broad range of legacy USB kernel drivers supported in the Linux kernel." The activist, who has been given the name "Vedran" to protect their privacy, was taken to a police station and his phone confiscated on December 25, 2024, after he attended a student protest in Belgrade. Amnesty's analysis found that the exploit was used to unlock his Samsung Galaxy A32 and that the authorities attempted to install an unknown Android application. While the exact nature of the Android app remains unclear, the modus operandi is consistent with that of prior NoviSpy spyware infections reported in mid-December 2024.  Earlier this week, Cellebrite said its tools are not designed to facilitate any type of offensive cyber activity and that it works actively to curtail the misuse of its technology. The Israeli company also said it will no longer allow Serbia to use its software, stating "we found it appropriate to stop the use of our products by the relevant customers at this time." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Android, Cellebrite, cybersecurity, digital forensics, Human Rights, Linux kernel, mobile security, surveillance, zero-day Trending News Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Load More ▼ Popular Resources [Guide] Learn How to Govern AI Agents With Proven Market Guidance [Demo] Discover SaaS Risks and Monitor Every App in Your Environment SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats Detect AI-Driven Threats Faster With Full Network Visibility