Israeli digital intelligence company Cellebrite offers intelligence gathering and forensic review services to its clients. Additionally, the company provides certain undisclosed zero-day vulnerabilities (0days) that enable targeted spyware attacks against specific individuals.
In December 2024, reports surfaced indicating that Serbia had procured and deployed vulnerabilities and corresponding spyware supplied by Cellebrite and NSO Group. These exploits primarily targeted Android devices, granting attackers the ability to bypass lock screens and extract data.
Google has addressed one of the vulnerabilities leveraged by Cellebrite in its latest Android security update, assigning it CVE-2024-53104. Meanwhile, two other vulnerabilities—CVE-2024-53197 and CVE-2024-50302—have been patched in the upstream Linux Kernel, though they have yet to be integrated into the Android Open Source Project (AOSP).
The CVE-2024-53104 vulnerability specifically affects Linux Kernel USB class drivers. Exploiting this flaw, Cellebrite’s clients—such as Serbian authorities—could circumvent Android’s lock screen protections and gain unrestricted access to targeted devices.
Since the vulnerability originates from the upstream Linux Kernel, it poses a risk not only to Android but also to various Linux distributions and embedded Linux-based devices, regardless of manufacturer or device type.
At present, there is no evidence indicating that attackers have exploited this vulnerability against non-Android systems. High-value zero-day vulnerabilities like this are typically used sparingly, minimizing exposure to prevent detection by security researchers.
To successfully exploit this vulnerability, physical access to the target device is required. Once in possession of the device, the attacker can deploy spyware using dedicated software. The implanted spyware can harvest extensive device data, track real-time location, and even enable remote surveillance.
As part of the attack sequence, the USB port of the target device is initially connected to various peripheral devices. These peripherals are repeatedly reconnected to trigger the vulnerability, ultimately leaking kernel memory and modifying it as part of the exploit.
The USB devices involved in the attack may be specialized tools designed to emulate video or audio peripherals, deceiving the system into granting elevated privileges. Once the vulnerability is successfully exploited and access is gained, the attacker can install additional covert software, essentially deploying spyware onto the compromised device.
Related Posts:
- New Agent Tesla Spyware Variant was spread via Microsoft Word documents
- How Spyware Evades Detection through Advanced Obfuscation
