Serbian Police Hack Protester's Phone via Exploit Chain - Dark Reading

CYBERATTACKS & DATA BREACHES PHYSICAL SECURITY MOBILE SECURITY DATA PRIVACY NEWS Serbian Police Hack Protester's Phone With Cellebrite Exploit Chain Amnesty International said Serbian police used an exploit chain in tandem with a legitimate mobile extraction dongle from vendor Cellebrite in an attack that brings up questions around ethical technology development. Alexander Culafi,Senior News Writer,Dark Reading March 4, 2025 6 Min Read SOURCE: DEJAN KRSMANOVIC VIA ALAMY STOCK PHOTO Serbian law enforcement officials are using a Cellebrite mobile "information extraction" product in tandem with an exploit chain to target dissidents, including most recently the phone of a Serbian student activist. That's according to Amnesty International, which said in research published Friday that Serbian authorities compromised a student protester's mobile phone using a zero-day exploit chain targeting Android USB drivers. The findings dovetail with earlier assessments that Serbia is a "digital prison," with authorities infecting Cellebrite's flagship Universal Forensic Extraction Device (UFED) products with NoviSpy spyware to track and monitor individuals, including journalists and activists. "Serbian authorities have deployed surveillance technology and digital repression tactics as instruments of wider state control and repression directed against civil society," the human rights group detailed in a separate, earlier report. Related:Nation-State Actor Embraces AI Malware Assembly Line Tracking Dissent With Spyware The findings once again showcase how authorities can potentially use technology to further human rights abuses against dissenters, journalists, political opponents, and others. Although this is frequently seen with products like commercial spyware, law enforcement officers in this case used Cellebrite's product with an exploit chain to compromise the activist's phone, along with "at least two further cases of misuse of Cellebrite against civil society" not detailed in the report. Cellebrite insists that its products, which are used by entities such as governments and law enforcement to extract data from mobile phones, are sold under strict licensing policies and intended for lawful purposes. However, Amnesty International said in its December report that "Privacy International and Access Now have extensively documented weakness in Cellebrite's human rights due diligence policies, resulting in sales of Cellebrite to governments with spotty human rights track record and where there is a high-risk that such products could be used to target civil society." In this most recent case, Amnesty International said the 23-year-old student activist (which it gave the alias "Vedran" for privacy reasons) was attending a protest on Dec. 25, when seven men in plain clothes confronted him and "forced" him into a vehicle. They demanded he show them his phone (a Samsung Galaxy A32), and after refusing, he was driven to a police station. "'Vedran' told Amnesty International that as soon as he entered the police station, around 6:30 p.m. local time, he switched off his telephone and handed it over to the officers. He was led to an office on the first floor and, for the next six hours, questioned by four men in civilian clothes who never introduced themselves," the report read. "His phone was returned to him around 12:45 a.m. It was switched off." Related:Life Mirrors Art: Ransomware Hits Hospitals on TV & IRL Later, the student asked Amnesty International's Security Lab to test the device. "The forensic analysis found clear evidence of exploitation, which Amnesty International can confidently attribute to the use of Cellebrite's UFED product," Amnesty International said. "The logs also show that the Cellebrite product enabled the authorities to successfully gain privileged root access to the phone and to unlock the device," along with "clear evidence of a Cellebrite USB exploit chain." Inside a Zero-Day Mobile Exploit Chain The exploit chain comprises three vulnerabilities, the researchers found. First is CVE-2024-53104, a known Linux kernel out-of-bounds write vulnerability capable of privilege escalation that was patched in February and added to CISA's Known Exploited Vulnerabilities catalog. Two other bugs, CVE-2024-53197 and CVE-2024-50302, are Linux kernel flaws that were patched upstream but, as the report noted, have not been included in an Android security update as of press time. Related:The Case for Why Better Breach Transparency Matters A Google spokesperson tells Dark Reading the company "promptly developed fixes" and that the CVEs will be included in future Android Security Bulletins. "We were aware of these vulnerabilities and exploitation risk prior to these reports and promptly developed fixes for Android," the spokesperson says. "Fixes were shared with OEM partners in a partner advisory on Jan. 18. These CVEs will also be included in future Android Security Bulletins and required by Android Security Patch Level (SPL). As a best security practice, we always advise users to update their devices as soon as security patches or software updates become available." Based on Amnesty International's forensics, the attack involved connecting various emulated USB peripherals to Vedran's phone in order to disclose kernel memory, groom kernel memory, and ultimately achieve arbitrary code execution. Authorities apparently unlocked the device with a Cellebrite hardware dongle before using the access to facilitate their attack. Once the phone was unlocked, Amnesty International found evidence that authorities attempted to install an unknown Android application. Though researchers could not identify the specific app, "it is consistent with the previous cases of NoviSpy spyware infections documented by Amnesty International." For its part, in a statement published to its website on Feb. 25, Cellebrite said ethical, judicial, and lawful use of its technology is "paramount to our mission of accelerating justice and saving lives around the world." Moreover, the company said its products support lawfully sanctioned investigation and "are not spyware, [or used for] surveillance or any other type of offensive cyber activity." In a specific response to Amnesty International's December report, Cellebrite said it investigated each claim and "found it appropriate to stop the use of our products by the relevant customers at this time." Dark Reading requested additional information related to the activity Amnesty International described, but a spokesperson declined to comment further. Cellebrite's Cyber-Ethical Responsibility The Amnesty International researchers noted in Friday's report that "the [student protestor] case reinforces the urgency for Cellebrite to introduce meaningful and effective safeguards to reduce the risk of their products enabling human rights abuses, including a thorough review of their due diligence procedures; the implementation of technical mechanisms to limit the invasiveness of Cellebrite forensic tools; and to provide compensation and redress for the victims whose rights have been violated by the unlawful use of their products." Cellebrite, selling mobile extractions tools, is different from commercial spyware vendors like NSO Group that outright traffic in exploits and spyware for governments. Attributing responsibility to Cellebrite for its role in offering its products to Serbian authorities is therefore more complicated; in this case, a customer misused the product by chaining the exploits together with Cellebrite's UFED. Roger Grimes, data-driven defense evangelist at security training firm KnowBe4, believes that one "can't control whether the use of any technology is only used for good," and that goodness is subjective. Noting that there were more than 40,000 publicly announced vulnerabilities last year alone, he points out that any technology with a bug could potentially be used by people to do unethical or questionable things. "Not only do we have to be worried about questionable uses of backdoors and other technologies, but for sure the same technologies and vulnerabilities will be illegally abused by people. It's guaranteed," he says. But Boris Cipot, senior security engineer at application security vendor Black Duck, says vendors, especially vendors of technologies like Cellebrite's with such obvious malicious use cases, aren't off the hook and bear ethical responsibility even if they can't control end users. "The user will define [a product] as being good or bad," Cipot tells Dark Reading. "Malware, spyware, or any technology that has a malicious use case of any kind should not be created, except for vendors doing so for legitimate use cases. In these cases, their sales should be transparent, with robust safeguards like customer vetting and kill switches. Vendors should also be accountable for the misuse of their software. The ethical component of every vendor should be present no matter what the product is." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERATTACKS & DATA BREACHES What Should the US Do About Salt Typhoon? by Alexander Culafi, Senior News Writer, Dark Reading APR 10, 2025 CYBERATTACKS & DATA BREACHES Oracle Appears to Admit Breach of 2 'Obsolete' Servers by Jai Vijayan, Contributing Writer APR 09, 2025 CYBERATTACKS & DATA BREACHES Malaysian Airport's Cyber Disruption a Warning for Asia by Robert Lemos, Contributing Writer APR 02, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE