Full Report
Serbian authorities have reportedly used an Android zero-day exploit chain developed by Cellebrite to unlock the device of a student activist in the country and attempt to install spyware. [...]
Analysis Summary
# Vulnerability: Android USB Exploits Used by Serbian Police Against Locked Devices
## CVE Details
- CVE ID: CVE-2024-53104, CVE-2024-53197, CVE-2024-50302 (Note: The article heavily focuses on the use of these vulnerabilities by the vendor Cellebrite, but specific severity scores and CWEs for these specific CVEs are not explicitly provided in the text.)
- CVSS Score: Not specified in the text.
- CWE: Not specified in the text, but likely related to USB drivers/kernel components leading to memory corruption.
## Affected Systems
- Products: Android Devices (Specific models/vendors targeted by Cellebrite's exploit chain are not listed, but the exploitation targets Android's USB subsystem/kernel.)
- Versions: Unknown, as these are zero-day flaws being actively leveraged.
- Configurations: Exploitation relies on physical access to the target device, likely utilizing USB connectivity features.
## Vulnerability Description
Serbian police reportedly used a sophisticated zero-day exploit chain, delivered through Cellebrite forensic tools, to unlock locked Android phones. The chain appears to leverage three distinct vulnerabilities (CVE-2024-53104, CVE-2024-53197, and CVE-2024-50302) residing within the device's USB drivers or kernel components. These flaws allow an attacker with physical access to gain unauthorized access, potentially leading to memory corruption and arbitrary code execution (ACE) or lock screen bypass.
## Exploitation
- Status: Exploited in the wild (Reported use by Serbian police).
- Complexity: Assumed High (Zero-day chain requiring specialized forensic tools like Cellebrite).
- Attack Vector: Physical (Requires physical connection to the target device via USB).
## Impact
- Confidentiality: High (Allows extraction of data from a locked device).
- Integrity: High (Potential for arbitrary code execution).
- Availability: Low (Primary focus is data extraction, not system denial).
## Remediation
### Patches
- CVE-2024-53104: No specific patch information provided, but patching this single flaw *might* disrupt the entire chain, according to Amnesty.
- CVE-2024-53197 and CVE-2024-50302: GrapheneOS indicates they already have patches as they regularly update the latest Linux kernel. Google's timeline for general Android release is pending.
### Workarounds
Users can mitigate this type of threat by:
1. Turning off USB debugging (ADB).
2. Setting the cable connectivity mode to "Charge Only."
3. Enabling Full Disk Encryption (Settings → Security & privacy → More security & privacy → Encryption & credentials → Encrypt phone).
## Detection
- Indicators of Compromise (IoCs): Not specified, as these are zero-day kernel/driver flaws.
- Detection methods and tools: Monitoring for unexpected USB activity or unauthorized kernel/driver modifications if deep forensic analysis tools are available.
## References
- Vendor Advisories: Awaiting response from Google regarding general Android security patches.
- Relevant links:
- bleepingcomputer com/news/security/serbian-police-used-cellebrite-zero-day-hack-to-unlock-android-phones/
- bleepingcomputer com/news/security/google-fixes-two-pixel-zero-day-flaws-exploited-by-forensics-firms/
- bleepingcomputer com/news/apple/apple-fixes-zero-day-exploited-in-extremely-sophisticated-attacks/