Researchers uncover unknown Android flaws used to hack into a student’s phone

 

Amnesty International said that Google fixed previously unknown flaws in Android that allowed authorities to unlock phones using forensic tools.

On Friday, Amnesty International published a report detailing a chain of three zero-day vulnerabilities developed by phone-unlocking company Cellebrite, which its researchers found after investigating the hack of a student protester’s phone in Serbia. The flaws were found in the core Linux USB kernel, meaning “the vulnerability is not limited to a particular device or vendor and could impact over a billion Android devices,” according to the report. 

Zero-days are bugs in products that when found are unknown to the software or hardware makers. Zero-days allow criminal and government hackers to break into systems in a way that’s more effective because there is no patch that fixes them yet. 

In this case, Amnesty said that it first found traces of one of the flaws in a case in mid-2024. Then, last year, after investigating the hack of a student activist in Serbia, the organization shared its findings with Google’s anti-hacking unit Threat Analysis Group, which led the company researchers to identify and fix the three separate flaws.

During the investigation into the activist’s phone, Amnesty researchers found the USB exploit, which allowed Serbian authorities, with the use of Cellebrite tools, to unlock the activist’s phone.  

When reached for comment, Cellebrite spokesperson Victor Cooper referred to a statement that the company published earlier this week. 

In December, Amnesty reported that it had found two cases where Serbian authorities had used Cellebrite forensic tools to unlock the phones of an activist and a journalist, and subsequently installed an Android spyware known as NoviSpy. Earlier this week, Cellebrite announced that it had stopped its Serbian customer from using its technology following the allegations of abuse uncovered by Amnesty.

“After a review of the allegations brought forth by the December 2024 Amnesty International report, Cellebrite took precise steps to investigate each claim in accordance with our ethics and integrity policies. We found it appropriate to stop the use of our products by the relevant customers at this time,” Cellebrite wrote in its statement.