Serbian Student's Android Phone Compromised By Exploit From Cellebrite

An anonymous reader quotes a report from Ars Technica: Amnesty International on Friday said it determined that a zero-day exploit sold by controversial exploit vendor Cellebrite was used to compromise the phone of a Serbian student who had been critical of that country's government. [...] The chain exploited a series of vulnerabilities in device drivers the Linux kernel uses to support USB hardware. "This new case provides further evidence that the authorities in Serbia have continued their campaign of surveillance of civil society in the aftermath of our report, despite widespread calls for reform, from both inside Serbia and beyond, as well as an investigation into the misuse of its product, announced by Cellebrite," authors of the report wrote.

Amnesty International first discovered evidence of the attack chain last year while investigating a separate incident outside of Serbia involving the same Android lockscreen bypass. [...] The report said that one of the vulnerabilities, tracked as CVE-2024-53104, was patched earlier this month with the release of the February 2025 Android Security Bulletin. Two other vulnerabilities -- CVE-2024-53197 and CVE-2024-50302 -- have been patched upstream in the Linux kernel but have not yet been incorporated into Android. Forensic traces identified in Amnesty International's analysis of the compromised phone showed that the Serbian authorities tried to install an unknown application after the device had been unlocked. The report authors said the installation of apps on Cellebrite-compromised devices was consistent with earlier cases the group has uncovered in which spyware tracked as NoviSpy spyware were installed.

As part of the attack, the USB port of the targeted phone was connected to various peripherals during the initial stages. In later stages, the peripherals repeatedly connected to the phone so they could "disclose kernel memory and groom kernel memory as part of the exploitation." The people analyzing the phone said the peripherals were likely special-purpose devices that emulated video or sound devices connecting to the targeted device. The 23-year-old student who owned the phone regularly participates in the ongoing student protests in Belgrade. Any Android users who have yet to install the February patch batch should do so as soon as possible.

Re:

[Bradac_55]

Lay off the crack pipe dude, everyone knows BeauHD died years ago and this is just a bot posting.

Yeah right, update your Android

[Uldis Segliņš]

I can not update my perfectly functioning phone hardwares software just because Google has not freed one from the other. And hardware manufacturers just don't care. Or the opposite - they care that I am pushed to buy new. Evil Google, free the Android OS, so we can install, upgrade or choose wherefrom to do that independently of OEMs! This is the same as recycling - blame the end user who can't separate the plastic packaging from other materials, when manufacturer should be held accountable with consequence

Re: Yeah right, update your Android

[commodore73]

Why would they care? Why would you expect them to care? You are just a consumer, and there is an almost infinite supply. Silly thoughts.

Re:

[phantomfive]

If your phone has a locked bootloader, then it's not a perfectly functioning phone.

And if you bought the phone knowing that, then you're just as dumb as every iPhone user out there.

Re:

[ArchieBunker]

And if you bought the phone knowing that, then you're just as dumb as every iPhone user out there.

My iPhone 8 (released in 2017) still gets occasional OS updates.

Re:

[phantomfive]

And yet, your bootloader is locked. And you can't sideload apps. Not only do you have a gimped phone, you'll probably brag about it.

Re:

[Kitkoan]

Your iPhone was also available for sale untill 2022, and was dropped from support 2 years after that. I also noticed you said when it was released, not when you got it. I'm guessing you didn't get it then and so had a shorter support window. Too bad Apple didn't copy Google (again) with Google Play Security Updates, otherwise it would still be getting updates.

Re:

[thegarbz]

Thanks for your 2015 talking points. On the flip side Android has decoupled security from OS updates, so you very much can run an old Android OS patched to the latest security level, and virtually all manufacturers offer over 5 years of security updates these days .

Re:

[sg_oneill]

For all of apples faults, this is one advantage the IOS thing has (And I *believe* googles own pixel range are good for it. Probably samsung too, my 3 year old samsung tablet still seems to get updates) is that because Apple control their whole supply chain they SEEM to be good for updating phones for quite a few years. Sure there has been some *funky* shit in the past with them slowing down old phones, ostensibly for battery reasons but it'd be nice if it was optional, but you DO get those security updates

Lesson learned.

[ChunderDownunder]

via Sir Keir, UK PM this week - if you don't want your government hacking you, use an iPhone.

Me? cheap Moto phone likely backdoored by both Chinese and my local franchise of the 5-Eyes, with a mixture of software from Google, Meta and Microsoft. Keep everyone happy. :)