MORE SURVEILLANCE AS A SERVICE Serbian students Android phone compromised by exploit from Cellebrite Android users who haven't installed Google's February patch batch should do so ASAP. Dan Goodin Feb 28, 2025 6:08 pm | 7 Credit: Getty Images Credit: Getty Images Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreAmnesty International on Friday said it determined that a zero-day exploit sold by controversial exploit vendor Cellebrite was used to compromise the phone of a Serbian student who had been critical of that country's government.The human rights organization first called out Serbian authorities in December for what it said was its pervasive and routine use of spyware as part of a campaign of wider state control and repression directed against civil society. That report said the authorities were deploying exploits sold by Cellebrite and NSO, a separate exploit seller whose practices have also been sharply criticized over the past decade. In response to the December report, Cellebrite said it had suspended sales to relevant customers in Serbia.Campaign of surveillanceOn Friday, Amnesty International said that it uncovered evidence of a new incident. It involves the sale by Cellebrite of an attack chain that could defeat the lock screen of fully patched Android devices. The exploits were used against a Serbian student who had been critical of Serbian officials. The chain exploited a series of vulnerabilities in device drivers the Linux kernel uses to support USB hardware.This new case provides further evidence that the authorities in Serbia have continued their campaign of surveillance of civil society in the aftermath of our report, despite widespread calls for reform, from both inside Serbia and beyond, as well as an investigation into the misuse of its product, announced by Cellebrite, authors of the report wrote.Amnesty International first discovered evidence of the attack chain last year while investigating a separate incident outside of Serbia involving the same Android lockscreen bypass. Authors of Fridays report wrote:The exploit, which targeted Linux kernel USB drivers, enabled Cellebrite customers with physical access to a locked Android device to bypass an Android phones lock screen and gain privileged access on the device. As the exploit targets core Linux kernel USB drivers, the impact is not limited to a particular device or vendor and could affect a very wide range of devices. The same vulnerabilities could also expose Linux computers and Linux-powered embedded devices to physical attacks, although there is no evidence of this exploit chain has been designed to target non-Android Linux devices.The report said that one of the vulnerabilities, tracked as CVE-2024-53104, was patched earlier this month with the release of the February 2025 Android Security Bulletin. Two other vulnerabilitiesCVE-2024-53197 and CVE-2024-50302have been patched upstream in the Linux kernel but have not yet been incorporated into Android.Forensic traces identified in Amnesty Internationals analysis of the compromised phone showed that the Serbian authorities tried to install an unknown application after the device had been unlocked. The report authors said the installation of apps on Cellebrite-compromised devices was consistent with earlier cases the group has uncovered in which spyware tracked as NoviSpy spyware were installed.As part of the attack, the USB port of the targeted phone was connected to various peripherals during the initial stages. In later stages, the peripherals repeatedly connected to the phone so they could disclose kernel memory and groom kernel memory as part of the exploitation. The people analyzing the phone said the peripherals were likely special-purpose devices that emulated video or sound devices connecting to the targeted device.The 23-year-old student who owned the phone regularly participates in the ongoing student protests in Belgrade. Any Android users who have yet to install the February patch batch should do so as soon as possible.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 7 Comments