Full Report
Serbian security services exploited one of the actively exploited vulnerabilities to break into the phone of a youth activist in Serbia, according to Amnesty International. The post Google addresses 2 actively exploited vulnerabilities in security update appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Actively Exploited Flaws in Android Linux Kernel USB Driver
## CVE Details
- CVE ID: CVE-2024-53197, CVE-2024-53150
- CVSS Score: CVE-2024-53150 is 7.1 (High). Severity for CVE-2024-53197 is not explicitly detailed but is part of an actively exploited pair.
- CWE: Not specified in detail (Related to memory/driver manipulation due to kernel component).
## Affected Systems
- Products: Android Devices (Components affected: Linux kernel's USB audio driver, Android System, Android Framework).
- Versions: Devices receiving the April 2025 security update (specific baseline versions not listed, but covered by the April 2025 patch levels).
- Configurations: Affects devices utilizing the affected Linux kernel USB audio driver component.
## Vulnerability Description
Google addressed two high-severity, actively exploited vulnerabilities affecting the Linux kernel's USB audio driver within Android devices. CVE-2024-53150 (CVSS 7.1) allows attackers to obtain potentially sensitive data. CVE-2024-53197 is noted as part of a zero-day exploit chain developed by Cellebrite. The update also addressed 60 other vulnerabilities, including critical flaws in the Android system and framework.
## Exploitation
- Status: May be under limited, targeted exploitation. CVE-2024-53197 was used by Serbian security services against a youth activist via a Cellebrite zero-day exploit chain.
- Complexity: Implied Medium/High due to kernel-level impact and documented state actor/professional surveillance vendor use.
- Attack Vector: Likely local or network-adjacent, given the kernel driver target, but exploitation details are not fully disclosed beyond the reported misuse.
## Impact
- Confidentiality: High (CVE-2024-53150 specifically allows obtaining potentially sensitive data).
- Integrity: Not specified, but kernel exploitation typically implies high integrity risk.
- Availability: Not specified, but kernel component flaws present a risk of system instability or denial of service.
## Remediation
### Patches
- Android April 2025 Security Update, with patch levels:
- 2025-04-01
- 2025-04-05 (This patch level includes fixes for five Linux kernel vulnerabilities).
- Source code patches will be released to the Android Open Source Project repository by Wednesday (TBD date relative to the article publication).
### Workarounds
- No specific workarounds were mentioned other than applying the patch. Disabling USB audio functionality might be a theoretical mitigation against the driver flaw, but is not advised as a standard procedure.
## Detection
- Indicators of Compromise (IoCs): Not specified.
- Detection methods and tools: Detection would likely focus on monitoring for unusual activity following zero-day exploitation, especially related to kernel memory access or data exfiltration following the exploitation chain disclosed by Amnesty International.
## References
- Vendor Advisory: [source dot android dot com/docs/security/bulletin/2025-04-01](https://source.android.com/docs/security/bulletin/2025-04-01)
- Exploitation Report: [securitylab dot amnesty dot org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/](https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/)