A 23-year-old Serbian youth activist had their Android cellphone focused by a zero-day exploit developed by Cellebrite to unlock the system, in accordance with a brand new report from Amnesty Worldwide.
“The Android cellphone of 1 scholar protester was exploited and unlocked by a classy zero-day exploit chain concentrating on Android USB drivers, developed by Cellebrite,” the worldwide non-governmental group stated, including the traces of the exploit have been found in a separate case in mid-2024.
The vulnerability in query is CVE-2024-53104 (CVSS rating: 7.8), a case of privilege escalation in a kernel part often known as the USB Video Class (UVC) driver. A patch for the flaw was addressed within the Linux kernel in December 2024. It was subsequently addressed in Android earlier this month.
It is believed that CVE-2024-53104 was mixed with two different flaws – CVE-2024-53197 and CVE-2024-50302 – each of which have been resolved within the Linux kernel. They’re but to be included in an Android Safety Bulletin.
- CVE-2024-53197 (CVSS rating: N/A) – An out-of-bounds entry vulnerability for Extigy and Mbox gadgets
- CVE-2024-50302 (CVSS rating: 5.5) – A use of an uninitialized useful resource vulnerability that may very well be used to leak kernel reminiscence
“The exploit, which focused Linux kernel USB drivers, enabled Cellebrite clients with bodily entry to a locked Android system to bypass an Android cellphone’s lock display and achieve privileged entry on the system,” Amnesty stated.
“This case highlights how real-world attackers are exploiting Android’s USB assault floor, benefiting from the broad vary of legacy USB kernel drivers supported within the Linux kernel.”
The activist, who has been given the identify “Vedran” to guard their privateness, was taken to a police station and his cellphone confiscated on December 25, 2024, after he attended a scholar protest in Belgrade.
Amnesty’s evaluation discovered that the exploit was used to unlock his Samsung Galaxy A32 and that the authorities tried to put in an unknown Android utility. Whereas the precise nature of the Android app stays unclear, the modus operandi is according to that of prior NoviSpy adware infections reported in mid-December 2024.
Earlier this week, Cellebrite stated its instruments aren’t designed to facilitate any sort of offensive cyber exercise and that it really works actively to curtail the misuse of its know-how.
The Israeli firm additionally stated it is going to now not enable Serbia to make use of its software program, stating “we discovered it applicable to cease using our merchandise by the related clients presently.”