Associated Incidents
Amnesty International's Security Lab, in collaboration with Amnesty's European Regional Office, has uncovered a new case of misuse of a Cellebrite product to break into the phone of a youth activist in Serbia. The attack closely matches the form of attack that we previously documented in a report, 'A Digital Prison', published in December 2024. This new case provides further evidence that the authorities in Serbia have continued their campaign of surveillance of civil society in the aftermath of our report, despite widespread calls for reform, from both inside Serbia and beyond, as well as an investigation into the misuse of its product, announced by Cellebrite.
Though not documented in this blog post, Amnesty International has also found evidence of at least two further cases of misuse of Cellebrite against civil society (beyond the ones noted in the report), suggesting that the practice remains widespread and that Serbia's Security-Information Agency (Bezbedonosno-informativna agencija -- BIA) and the Serbian security services remain confident that they can continue using such oppressive tactics with impunity.
In a statement published on 25 February 2025, Cellebrite announced that it has suspended the use of its products by "relevant customers" in Serbia following Amnesty International's December 2024 report, which documented widespread misuse of Cellebrite's technology by Serbian authorities. The latest findings of further abuses make these suspensions a necessary and crucial first step in halting the ongoing and unlawful misuse of the company's products.
Zero-day exploit targeting Android USB kernel drivers identified in-the-wild
This technical blog post provides a detailed analysis of how the Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite. Amnesty International first found traces of this Cellebrite USB exploit used in a separate case in mid-2024.
These most recent findings show the ongoing harms from the continued misuse of Cellebrite's advanced mobile phone extraction tools, even after widely published evidence of abuses. Since the exploits identified in this research target core Linux kernel USB drivers, the vulnerability is not limited to a particular device or vendor and could impact over a billion Android devices.
In 2024, the Security Lab shared technical evidence about this zero-day exploit chain with industry partners, including Google's Threat Analysis Group. These leads enabled Google security researchers to identify at least three zero-day vulnerabilities likely exploited as part of this Cellebrite exploit chain. The first vulnerability, CVE-2024-53104, an out-of-bound write in the USB Video Class (UVC) driver, was patched in the February 2025 Android Security Bulletin.
Additional vulnerabilities CVE-2024-53197, and CVE-2024-50302 have been patched upstream in the Linux kernel but have not yet been included in an Android Security Bulletin. An initial technical analysis of the exploit and vulnerabilities is shared in Section 3 below.
Amnesty International wishes to thank the student activist targeted in this campaign for sharing his story and all partners who supported this research, including the Balkan Investigative and Reporting Network (BIRN) and SHARE Foundation in Belgrade.
Amnesty International extends special thanks to Benoît Sevens of Google's Threat Analysis Group for his invaluable contribution to this investigation, and his work identifying the underlying USB vulnerabilities exploited in this attack. The Security Lab is also grateful to the Android Security and Privacy team for their active engagement on addressing digital security risks impacting civil society.