Security Week

Amnesty Reveals Cellebrite Zero-Day Android Exploit on Serbian Student Activist

Ryan Naraine February 28, 2025

Amnesty International on Friday released technical details on zero-day vulnerabilities exploited by Cellebrite’s mobile forensic tools to spy on a Serbian student activist.

The investigation, which builds on a December 2024 report, found evidence that authorities in Serbia used the Cellebrite UFED system to bypass the lock screen on an Android device.

The privacy rights organization said its forensic analysis showed that the exploit chain targeted core Linux USB drivers – a class of vulnerabilities that could affect over a billion Android devices.

Amnesty International said the newly discovered attack leveraged a zero‐day exploit against the Android USB kernel drivers, enabling attackers to achieve root access.

One of the key vulnerabilities exploited (CVE-2024-53104) involved an out-of-bound write bug in the Linux USB Video Class (UVC) driver. Two additional security defects — CVE-2024-53197 and CVE-2024-50302 — were also identified and have been patched either in the Linux kernel or through Android security updates.

In the incident, Amnesty International said the student activist had his Samsung Galaxy A32 seized during a protest last December. After turning his phone off upon entering a police station, the device was later powered on by plain-clothes officers.

Amnesty International said detailed logs from the phone confirmed that the Cellebrite system, using a hardware dongle known as Turbo Link, emulated several USB devices to trigger the exploit chain. These emulated devices – including a UVC webcam, sound cards, a touchpad, and a HID device – were used in rapid succession to trigger code execution and ultimately unlock the device.

“[The exploit] enabled Cellebrite customers with physical access to a locked Android device to bypass an Android phone’s lock screen and gain privileged access on the device. As the exploit targets core Linux kernel USB drivers, the impact is not limited to a particular device or vendor and could affect a very wide range of devices,” Amnesty International said.

Advertisement. Scroll to continue reading.

“The same vulnerabilities could also expose Linux computers and Linux-powered embedded devices to physical attacks, although there is no evidence that this exploit chain has been designed to target non-Android Linux devices,” the agency added.

Amnesty International said the case highlights how real-world attackers are exploiting Android’s USB attack surface, taking advantage of the broad range of legacy USB kernel drivers supported in the Linux kernel.

“Android vendors must urgently strengthen defensive security features to mitigate threats from untrusted USB connections to locked devices,” Amnesty International declared

The researchers worked with Google’s threat analysis team to mitigate the issue and said upstream patches for additional vulnerabilities in this chain will be made available by Android vendors over the coming months.

“As the attack described in this blog requires physical access to the device and in-depth engineering efforts, the risk of reuse of this exploit is relatively low. However, to mitigate this risk, we are holding off sharing the technical details about the identified vulnerabilities until security patches are available from all major Android vendors,” the group said.

“We are also not disclosing all associated crash logs and exploitation artifacts at this time.”

Cellebrite, an Israeli software vendor that sells mobile forensics tools for law enforcement use, this week confirmed it had suspended the use of its products by the relevant Serbian customers after the latest disclosure.

However, Amnesty International’s latest findings indicate that such misuse of forensic tools continues, with evidence of additional cases targeting civil society.

“[We] found evidence of at least two further cases of misuse of Cellebrite against civil society (beyond the ones noted in the report), suggesting that the practice remains widespread and that Serbia’s Security-Information Agency (Bezbedonosno-informativna agencija – BIA) and the Serbian security services remain confident that they can continue using such oppressive tactics with impunity,” the group added.