Amnesty International’s Security Lab discovered a cyber-espionage campaign in Serbia, where authorities used a zero-day exploit chain from Cellebrite to unlock a student activist’s Android phone.
Cellebrite Zero-Day Exploit
The attack on December 25, 2024, used vulnerabilities in Linux kernel USB drivers to bypass lock-screen protections on a Samsung Galaxy A32.
Forensic analysis showed the exploit used outdated USB driver flaws to gain root access, extract data, and try to install surveillance tools. This highlights the misuse of digital forensics tools against civil society and gaps in Android’s protection against physical access attacks.
The attack used emulated USB devices to exploit memory corruption flaws in the Linux kernel. Forensic logs show authorities connected malicious devices via Cellebrite’s Turbo Link adapter, including:
- A Chicony CNF7129 webcam (CVE-2024-53104) targeting a USB Video Class driver flaw.
- A Creative Extigy SoundBlaster (CVE-2024-53197) causing descriptor corruption during setup.
- An Anton Touch Pad (CVE-2024-50302) leaking kernel memory through HID reports.
These vulnerabilities, from code dating back to 2010-2013, were patched in Linux 6.6+ and the February 2025 Android Security Bulletin.
Attackers combined the flaws to escalate privileges, with kernel logs showing root access 10 seconds after the final USB HID device connection.
The victim, a 23-year-old student named “Vedran,” was detained during December 2024 protests in Serbia. Device logs support his account:
Post-exploitation activity included using find/grep for file enumeration and deploying Cellebrite’s “falcon” binary for data extraction. Although the target APK failed to install due to a biometric lock, the breach exposed call logs, messages, and protest details.
Google’s Threat Analysis Group worked with Amnesty to analyze the exploits, leading to patches for three CVEs. However, as of March 2025, over 40% of Android devices remain unpatched due to fragmented vendor updates.
Cellebrite suspended its Serbian clients on February 25, 2025, stating: “We found it appropriate to stop use of our products… Our compliance program ensures ethical, lawful use.” Critics argue this lacks transparency, as Cellebrite did not disclose the suspension duration or human rights safeguards. The company’s Premium UFED toolkit is still active in 78 countries despite abuse in 12 since 2022.
Leave A Comment