Amnesty International’s Security Lab has uncovered a sophisticated cyber-espionage campaign in Serbia, where authorities used a zero-day exploit chain developed by Cellebrite to unlock the Android phone of a student activist.
The attack, which occurred on December 25, 2024, leveraged vulnerabilities in Linux kernel USB drivers to bypass lock-screen protections on a Samsung Galaxy A32 device.
Forensic analysis revealed the exploit chain abused legacy USB driver quirks to gain root access, enabling data extraction and attempted installation of surveillance tools.
.png
)
This incident underscores the systemic misuse of digital forensics tools against civil society and highlights critical gaps in Android’s defense against physical access attacks.
Exploit Chain Targets, USB Driver
The attack employed an intricate sequence of emulated USB devices to trigger memory corruption vulnerabilities in the Linux kernel. Forensic logs show authorities connected multiple malicious peripherals via Cellebrite’s Turbo Link adapter, including:
- A Chicony CNF7129 UVC Webcam (VID:0x04f2) exploiting CVE-2024-53104, an out-of-bounds write in the USB Video Class driver’s frame-rate restriction quirk.
- A Creative Extigy SoundBlaster (VID:0x041e) leveraging CVE-2024-53197, which allowed descriptor corruption during ALSA sound card initialization.
- An Anton Touch Pad (VID:0x1130) exploiting CVE-2024-50302 to leak uninitialized kernel memory via HID reports.
These vulnerabilities, patched in Linux kernel versions 6.6+ and February 2025 Android Security Bulletin, existed in code dating back to 2010–2013.
Attackers combined them to achieve privilege escalation, as evidenced by kernel logs showing root shell access 10 seconds after the final USB HID device connection.
The victim, a 23-year-old student referred to as “Vedran,” was detained by plainclothes officers during December 2024 protests against Serbia’s ruling party. Device logs corroborate his account:
Post-exploitation activity included file system enumeration using find/grep and deployment of Cellebrite’s “falcon” binary for advanced data extraction. While the target APK installation failed due to a biometric lockout, the breach exposed call logs, messages, and protest coordination details.
Google’s Threat Analysis Group collaborated with Amnesty to analyze the exploits, leading to patches for three CVEs. However, over 40% of Android devices remain unpatched as of March 2025 due to fragmented vendor update cycles1. Cellebrite suspended Serbian clients on February 25, 2025, stating:
“We found it appropriate to stop use of our products by relevant customers… Our compliance program ensures ethical, lawful use.”
Critics argue the measure lacks transparency, as Cellebrite declined to disclose the duration of its suspension or human rights safeguards for reinstatement. The company’s Premium UFED toolkit remains operational in 78 countries despite documented abuse in 12 states since 2022.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
