In the first week of February, Google published its usual Android Security Bulletin, detailing security flaws that have been plugged to strengthen the platform safety. These flaws are usually declared once they have been fixed, except in special circumstances.
February is one of those rare situations for a kernel-level, high-severity flaw that was still being actively exploited at the time of the bulletin’s release. “There are indications that CVE-2024-53104 may be under limited, targeted exploitation,” says the release note.
The flaw was first reported by experts at Amnesty International, which describes it as an “out-of-bound write in the USB Video Class (UVC) driver.” The researchers add that since it’s a kernel-level exploit, it impacts overs over a billion Android devices, irrespective of the brand label.
Since it’s a zero-day exploit, only the attackers know of its existence, unless security experts sense its presence, develop a fix with the platform’s team, and then widely release it for all affected devices. Two other vulnerabilities, CVE-2024-53197 and CVE-2024-50302, have been fixed at the kernel-level, but haven’t been completely patched at an OS-level by Google
The impact pool is vast
The pool of affected devices is the Android ecosystem, while the attack vector is a USB interface. Specifically, we are talking about zero-day exploits in the Linux kernel USB drivers, which allows a bad actor to bypass the Lock Screen protection and gain deep-level privileged access to a phone via a USB connection.
In this case, a tool offered by Cellebrite was reportedly used to unlock the phone of a Serbian student activist and gain access to data stored on it. Specifically, a Cellebrite UFED kit was deployed by law enforcement officials on the student activist’s phone, without informing them about it or taking their explicit consent.
Amnesty says the usage of a tool like Cellebrite — which has been abused to target journalists and activists widely — was not legally sanctioned. The phone in question was a Samsung Galaxy A32, while the Cellebrite device was able to break past its Lock Screen protection and gain root access.
“Android vendors must urgently strengthen defensive security features to mitigate threats from untrusted USB connections to locked devices,” says Amnesty’s report. This won’t be the first time that the name Cellebrite has appeared in the news.
Update your Android smartphone. ASAP!
The company sells its forensic analysis tools to law enforcement and federal agencies in the US, and multiple other countries, letting them brute-force their way into devices and extract critical information.
In 2019, Cellebrite claimed that it could unlock any Android or Apple device using its Universal Forensic Extraction Device. However, it has also raised ethical concerns and privacy alarms about unfair usage by authorities for surveillance, harassment, and targeting of whistleblowers, journalists, and activists.
A few months ago, Apple also quietly tightened the security protocols with iOS 18.1 update, with the intention of blocking unauthorized access to locked smartphones and preventing exfiltration of sensitive information.
