A 23-year-old Serbian youth activist had their Android phone targeted by a sophisticated zero-day exploit developed by Cellebrite, an Israeli company known for its digital forensics tools, according to a new report from Amnesty International. The exploit, which was used to unlock the activist’s device, is based on a vulnerability in Android’s USB drivers and was initially discovered in 2024.
In the report, Amnesty International revealed that the Android phone of a student protester was exploited using a chain of vulnerabilities, developed specifically by Cellebrite to bypass security measures. The exploit targeted the Android USB drivers, specifically CVE-2024-53104, a privilege escalation vulnerability in the kernel component known as the USB Video Class (UVC) driver.
The issue was first identified by Amnesty's Security Lab in mid-2024, when traces of the exploit were found in a separate case unrelated to the Serbian incident. A patch for CVE-2024-53104 was later released in December 2024 for the Linux kernel, followed by an Android update earlier this year to address the flaw. However, the vulnerability remained active and was reportedly used against the activist’s phone in Belgrade.
The zero-day exploit is believed to have been part of a broader attack chain, combined with two other flaws: CVE-2024-53197 and CVE-2024-50302, which were addressed in the Linux kernel but have yet to be included in an Android Security Bulletin. Amnesty’s investigation suggests that the exploit allowed authorities to bypass the phone’s lock screen and gain privileged access.
The activist, identified only as "Vedran" to protect their privacy, was arrested on December 25, 2024, following their participation in a student protest in Belgrade. After being detained at a police station, Vedran’s phone, a Samsung Galaxy A32, was confiscated. According to Amnesty’s analysis, Cellebrite’s exploit was used to unlock the device, after which authorities reportedly attempted to install an unknown Android application. Although the exact nature of the app remains unclear, the technique is consistent with previous cases of spyware infections, specifically the NoviSpy malware detected in Serbia around the same time.
In its turn, Cellebrite said that its products are not designed for offensive cyber activities. The company also announced that it would no longer allow Serbian authorities to use its software, stating that “we found it appropriate to stop the use of our products by the relevant customers at this time.”
