Serbian security forces exploited a chain of zero-day vulnerabilities in Android, developed by the Israeli company Cellebrite, to unlock the phone of a student activist and attempt to install spyware. Amnesty International uncovered evidence of this exploitation in mid-2024 during an analysis of device logs.
Cellebrite, a company specializing in digital forensics, develops tools for law enforcement agencies, intelligence services, and private corporations, enabling the extraction of data from mobile devices. Such firms frequently utilize zero-day exploits to bypass the security mechanisms of locked smartphones.
Following Amnesty International’s report in December 2024 regarding potential privacy violations in Serbia, Cellebrite revoked access to its tools for Serbian security services. However, the exact timeline of when authorities obtained and deployed the vulnerabilities remains unknown.
Google has confirmed three vulnerabilities in Linux USB drivers used in Android, which were exploited in the attack:
- CVE-2024-53104 (CVSS score: 7.8) – An exploit targeting the USB Video Class driver.
- CVE-2024-50302 (CVSS score: 5.5) – An exploit targeting USB HID devices.
- CVE-2024-53197 (CVSS score: 5.5) – An exploit affecting the USB ALSA audio driver.
These vulnerabilities were patched in Android’s February and March 2025 security update and were classified as “limited, targeted exploitation.”
Amnesty’s Security Lab stated that patching CVE-2024-53104 could potentially break the entire attack chain, but this has not been definitively confirmed. Meanwhile, developers from GrapheneOS noted that their custom Android implementation already includes fixes for the two remaining vulnerabilities.
Google provided patches to OEM partners on January 18, and all vulnerabilities will be integrated into upcoming Android security bulletins, eventually becoming mandatory updates at a designated security level.
USB vulnerabilities are frequently leveraged to circumvent device protections, enabling arbitrary code execution, injection of malicious commands, or bypassing of lock screens. However, successful exploitation requires physical access to the smartphone—in this case, made possible by the detention of the device’s owner by police. Unlike Apple, stock Android lacks a dedicated restricted USB mode, but users can mitigate risks by disabling USB debugging in settings and enabling full-disk encryption.
Several Serbian non-governmental organizations (NGOs) have filed complaints against police and security officials, citing Amnesty International’s findings on the use of spyware technologies to monitor journalists and activists. According to the December 16 report, “Digital Prison,” Serbian authorities deployed spyware capable of extensive surveillance once installed on a target device. Testimonies from journalists and activists confirm that this software was installed during interrogation procedures.
