Full Report
A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit developed by Cellebrite to unlock the device, according to a new report from Amnesty International. "The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite," the international non-governmental
Analysis Summary
# Vulnerability: Cellebrite Zero-Day Exploit Chain Targeting Android USB Drivers
## CVE Details
- CVE ID: CVE-2024-53104 (Primary identified flaw)
- CVSS Score: 7.8 (High) for CVE-2024-53104
- CWE: Privilege Escalation (Inferred for CVE-2024-53104)
*(Note: Other associated CVEs were identified but lacked public CVSS scores in the source text.)*
- CVE ID: CVE-2024-53197 (Out-of-bounds access)
- CVE ID: CVE-2024-50302 (Use of uninitialized resource)
## Affected Systems
- Products: Android Devices (Specifically noted: Samsung Galaxy A32)
- Versions: Unspecified Android versions running the vulnerable Linux kernel components.
- Configurations: Devices where the attacker has physical access and the device screen is locked. The exploit chain targets Android USB drivers.
## Vulnerability Description
The vulnerability involves an exploit chain primarily stemming from **CVE-2024-53104**, a privilege escalation flaw within a **USB Video Class (UVC) driver**, a kernel component. This flaw was combined with two other vulnerabilities (**CVE-2024-53197** and **CVE-2024-50302**) in the Linux kernel USB drivers. When chained together, the exploit allows an attacker with physical access to a locked Android device to bypass the device's lock screen and gain privileged access. The exploitation leverages legacy USB kernel drivers in the Linux kernel.
## Exploitation
- Status: **Exploited in the wild** (Used against a Serbian activist's phone).
- Complexity: Implied **Medium/High** (Requires specialized tools/knowledge, provided by a vendor to customers, utilized in a sophisticated chain).
- Attack Vector: **Physical** (Requires physical access to the locked device via USB).
## Impact
- Confidentiality: **High** (Allows privileged access, potentially leading to data extraction or installation of monitoring software like NoviSpy spyware).
- Integrity: **High** (Allows privileged access, enabling unauthorized modification or installation of applications).
- Availability: **Medium** (Potential for device instability or denial of access if the malicious application interferes with core functions).
## Remediation
### Patches
The vulnerabilities have been addressed in the underlying Linux kernel, but Android-specific integration timing varies:
- **CVE-2024-53104 Patch:** Addressed in the Linux kernel in December 2024. Addressed in Android "earlier this month" (relative to the article date).
- **CVE-2024-53197 & CVE-2024-50302 Patches:** Resolved in the Linux kernel, but **not yet included in an Android Security Bulletin** at the time of the report.
### Workarounds
No specific workarounds were detailed in the provided text, other than the implication that physical security and preventing unauthorized connection via USB might temporarily limit this specific attack vector.
## Detection
- Indicators of Compromise: Evidence of an unknown Android application being installed following device access by external parties (e.g., law enforcement). Modus operandi is suggestive of prior NoviSpy spyware infections.
- Detection Methods and Tools: Amnesty International's analysis identified the traces of the exploit. Specific IoCs related to the exploit payload are not detailed, suggesting reliance on advanced forensic analysis tools.
## References
- Vendor Advisory (Cellebrite): Cellebrite stated that they have stopped providing services to the relevant Serbian customers and that their tools are not intended for offensive cyber activity.
- Amnesty International Report: securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/ (Defanged)
- Linux Kernel Reference (CVE-2024-53104 patch reference): Mentioned as fixed in December 2024.
- Linux Kernel Reference (CVE-2024-53197): lore.kernel.org/linux-cve-announce/2024122725-CVE-2024-53197-6aef@gregkh/ (Defanged)
- Linux Kernel Reference (CVE-2024-50302): lore.kernel.org/linux-cve-announce/2024111908-CVE-2024-50302-f677@gregkh/ (Defanged)