Pierluigi Paganini
March 03, 2025
Amnesty International reported that a Cellebrite zero-day exploit was used to unlock the Android smartphone of a Serbian activist.
In a statement published on 25 February 2025, Cellebrite announced that it had blocked Serbia from using its solution after reports that police used it to unlock and infect the phones of a journalist and activist.
“the Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite. Amnesty International first found traces of this Cellebrite USB exploit used in a separate case in mid-2024.” reads the report published by Amnesty International. “Since the exploits identified in this research target core Linux kernel USB drivers, the vulnerability is not limited to a particular device or vendor and could impact over a billion Android devices.”
In 2024, the Security Lab provided evidence of a Cellebrite zero-day exploit chain to industry partners, leading Google to identify three vulnerabilities. CVE-2024-53104 was patched in Android’s February 2025 update, while CVE-2024-53197 and CVE-2024-50302 (CVSS score of 5.5) were patched in the Linux kernel but not yet in Android.
The vulnerability CVE-2024-53104 (CVSS score: 7.8) is a privilege escalation security flaw in the Kernel’s USB Video Class driver. An authenticated local attacker could exploit the flaw to elevate privileges in low-complexity attacks.
The issue stems from improper parsing of UVC_VS_UNDEFINED frames, causing miscalculation of the frame buffer size and potentially leading to arbitrary code execution or denial-of-service attacks.
“In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming.” reads the advisory.
Cellebrite’s exploit targeted Linux kernel USB drivers, allowing users to bypass Android lock screens with physical access. It could affect many devices, including Linux computers and embedded systems, though no evidence suggests non-Android targets.
“The exploit, which targeted Linux kernel USB drivers, enabled Cellebrite customers with physical access to a locked Android device to bypass an Android phone’s lock screen and gain privileged access on the device. As the exploit targets core Linux kernel USB drivers, the impact is not limited to a particular device or vendor and could affect a very wide range of devices. The same vulnerabilities could also expose Linux computers and Linux-powered embedded devices to physical attacks, although there is no evidence of this exploit chain has been designed to target non-Android Linux devices.” continues Amnesty. Android vendors must urgently strengthen defensive security features to mitigate threats from untrusted USB connections to locked devices.”
Amnesty International said that a 23-year-old student activist (named Vedran to preserve his privacy) was attending a ruling party event in Serbia on December 25, 2024. Upon arrival, he was forcibly taken by seven plainclothes men, interrogated for six hours at a Belgrade police station, and pressured to unlock his phone. He refused, but his phone was taken and later returned switched off at 12:45 AM. Amnesty International documented the incident.
The forensics analysis conducted by Amnesty found that the Serbian police used the Cellbrite’s exploit to unlock Vedran’s Samsung Galaxy A32 and install an unknown Android application likely linked with NoviSpy spyware.
“Amnesty International’s Security Lab performed a forensic analysis on “Vedran’s” Samsung Galaxy A32 to check if the device was tampered with while “Vedran” was detained at the police station. The forensic analysis found clear evidence of exploitation which Amnesty International can confidently attribute to the use of Cellebrite’s UFED product.” continues the report. “The logs also show that the Cellebrite product enabled the authorities to successfully gain privileged root access to the phone and to unlock the device.
| Timestamp (Local Time) | Event |
| 2024-12-25 18:36:10 | “Vedran” turned his phone off. |
| 2024-12-25 20:01:14 | Phone turned on for the first time in police station. |
| 2024-12-25 20:22:13 | Phone turned on again at police station |
| 2024-12-25 20:24:37 | Emulated USB device (consistent with Cellebrite Turbo Link) connected to phone. |
| 2024-12-25 20:28:38 | Forensic traces of successful Cellebrite exploit and achieving code execution as the root user. |
| 2024-12-25 20:30:11 | Additional traces of Cellebrite activity on device. |
| 2024-12-25 20:37:15 | Traces show phone screen unlocked. |
| 2024-12-25 20:37:59 | Phone reboot triggered through Android shell |
Forensic traces of Cellebrite use on the protesters Android device
Amnesty International found evidence that the Serbian authorities attempted to install an unknown Android application after the phone was unlocked with Cellebrite. Due to limited forensic logs, it was not possible to identify the specific Android app the authorities intended to install. However, this attempt to covertly install an Android app after using Cellebrite to unlock it is consistent with the previous cases of NoviSpy spyware infections documented by Amnesty International.”
Earlier this week, the Israeli company Cellebrite announced that it is suspending the provision of its technology to Serbia due to reports of abuse by local police. Below is the statement published by the company.
“After a review of the allegations brought forth by the December 2024 Amnesty International report, Cellebrite took precise steps to investigate each claim in accordance with our ethics and integrity policies. We found it appropriate to stop the use of our products by the relevant customers at this time.” reads the announcement. “We assess countries we do business with – both on an annual and ad-hoc basis due to political and cultural shifts. We regularly track countries and review a multitude of indexes ranging from democratization to human rights to rule of law. Our robust compliance and ethics program is designed so that democratized nations around the globe use our technology ethically and lawfully – all paramount to our mission of accelerating justice, safeguarding communities and helping to save lives. “
“This decision reinforces Amnesty International’s December findings that Serbian police and intelligence routinely misused Cellebrite’s digital forensic equipment outside legally sanctioned processes to target civil society activists and independent journalists critical of the government.” said Donncha Ó Cearbhaill, Head of the Security Lab at Amnesty International.
“Withdrawing licences from customers who misused the equipment for political reasons is a critical first step. Now, Serbian authorities must urgently conduct their own thorough and impartial investigations, hold those responsible to account, provide remedies to victims and establish adequate safeguards to prevent future abuse.”
“Any further exports of surveillance or digital forensics technology to Serbia must be stopped until the authorities have implemented an effective and independent system of control and oversight over any measures that could restrict people’s right to privacy, freedom of expression or peaceful assembly.” added Donncha Ó Cearbhaill.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, spyware)
