Serbian authorities used a chain of zero-day exploits developed by Cellebrite, an Israeli digital forensics firm, to unlock an Android phone belonging to a student activist.
Cellebrite’s Role in the Android Zero-Day Exploit
Cellebrite creates tools for law enforcement and private companies to extract data from locked smartphones. These tools often rely on zero-day exploits—previously unknown vulnerabilities—to bypass standard security measures. The Serbian police’s actions highlight the potential for such tools to be used for unauthorized access.
Amnesty International’s Discovery and Google’s Response
Amnesty International’s Security Lab uncovered the exploit chain in mid-2024 while examining the logs of the compromised device.
Their findings were shared with Google’s Threat Analysis Group (TAG). Google’s researchers identified three vulnerabilities in Android’s Linux kernel USB drivers:
- CVE-2024-53104: A USB Video Class exploit.
- CVE-2024-53197: An ALSA USB-sound driver exploit.
- CVE-2024-50302: A USB HID device exploit.
Google patched CVE-2024-53104 in its February 2025 Android security updates, classifying it as “under limited, targeted exploitation.”
The other two vulnerabilities haven’t yet been publicly patched in all Android updates. The time it takes for manufacturers to roll out patches varies widely depending on the device and update frequency.
Security Implications and Mitigation Strategies
Donncha O’Cearbhaill, Head of Security Lab at Amnesty, suggested that patching CVE-2024-53104 might disrupt the entire exploit chain, although certainty remains elusive.
GrapheneOS, a privacy-focused Android distribution, already includes patches for CVE-2024-53197 and CVE-2024-50302 due to its frequent kernel updates. Google confirmed sharing fixes with OEM partners on January 18th, 2025.
A Google spokesperson stated: “We were aware of these vulnerabilities and exploitation risk prior to these reports and promptly developed fixes for Android.”
“These CVEs will also be included in future Android Security Bulletins and required by Android Security Patch Level (SPL). As a best security practice, we always advise users to update their devices as soon as security patches or software updates become available.”
Fixes were shared with OEM partners in a partner advisory on January 18. They also advised users to update their devices promptly.
USB Driver Vulnerabilities on the Rise
The vulnerabilities exploited in this case highlight the persistent threat posed by USB driver exploits. These exploits often leverage weaknesses in a device’s USB system (drivers, firmware, kernel components) to gain unauthorized access.
USB exploits commonly take advantage of vulnerabilities in a device’s USB system—drivers, firmware, or kernel components—to gain unauthorized access or control.
The exploit may achieve memory corruption for arbitrary code execution, inject malicious commands, or bypass lock screens. One mitigating factor is the requirement for physical access to the target device.
In this case, and many others, this requirement was easily fulfilled by police detaining the person and confiscating their device.
In April 2024, Google fixed two zero-day flaws (CVE-2024-29745 and CVE-2024-29748) forensic firms exploited to unlock phones without a PIN, implementing memory zeroing before USB is enabled.
Earlier this month, Apple fixed a zero-day (CVE-2025-24200) Cellebrite and GrayKey leveraged for bypassing USB Restricted Mode to extract data from iPhones. Stock Android lacks a direct equivalent to Apple’s USB Restricted Mode.
However, users can mitigate the threat by turning off USB debugging (ADB), setting the cable connectivity mode to “Charge Only,” and enabling Full Disk Encryption (Settings → Security & privacy → More security & privacy → Encryption & credentials → Encrypt phone).
Staying informed about newly discovered vulnerabilities and promptly applying patches are vital steps in mitigating such risks. Read more about securing your enterprise from phishing and ransomware attacks here.
