Amnesty International’s Security Lab has uncovered a sophisticated cyber-espionage campaign in Serbia, where authorities used a zero-day exploit chain developed by Cellebrite to unlock the Android phone of a student activist. Forensic analysis revealed the exploit chain abused legacy USB driver quirks to gain root access, enabling data extraction and attempted installation of surveillance tools. These vulnerabilities, patched in Linux kernel versions 6.6+ and February 2025 Android Security Bulletin, existed in code dating back to 2010–2013. The attack, which occurred on December 25, 2024, leveraged vulnerabilities in Linux kernel USB drivers to bypass lock-screen protections on a Samsung Galaxy A32 device. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Attackers combined them to achieve privilege escalation, as evidenced by kernel logs showing root shell access 10 seconds after the final USB HID device connection. The attack employed an intricate sequence of emulated USB devices to trigger memory corruption vulnerabilities in the Linux kernel. This incident underscores the systemic misuse of digital forensics tools against civil society and highlights critical gaps in Android’s defense against physical access attacks. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. The victim, a 23-year-old student referred to as “Vedran,” was detained by plainclothes officers during December 2024 protests against Serbia’s ruling party. Post-exploitation activity included file system enumeration using find/grep and deployment of Cellebrite’s “falcon” binary for advanced data extraction.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 01 Mar 2025 04:45:12 +0000