Serbia Used Cellebrite Zero-Day Android Attack on Student Activist

Amnesty International’s Security Lab has discovered a sophisticated zero-day exploit used to unlock the phone of a student activist in Serbia, highlighting the misuse of digital forensics tools by the country’s authorities.

The attack, attributed to Cellebrite’s forensic software, exploited vulnerabilities in Android’s USB drivers, allowing unauthorized access to the activist’s device.

The discovery follows a December 2024 report that documented widespread surveillance of journalists and activists in Serbia. As a result, Cellebrite announced on February 25, 2025, that it had suspended product usage by certain Serbian customers. Amnesty’s findings indicated that abuses have persisted, with the Serbian Security-Information Agency (BIA) being among those implicated in these activities, using digital forensics tools for politically motivated surveillance.

Technical details of the attack

Amnesty International’s forensic analysis revealed that the activist’s Android device, a Samsung Galaxy A32, was exploited using a zero-day vulnerability in Linux kernel USB drivers. The exploit enabled Serbian authorities to bypass the phone’s lock screen and gain root access. The attack chain involved multiple USB device emulations — such as a fake video device and HID (human interface device) inputs — suggesting the use of Cellebrite’s UFED or UFED Premium forensic tools.

The vulnerabilities leveraged in the attacks are:

• CVE-2024-53104 – An out-of-bounds write vulnerability in the USB Video Class (UVC) driver, patched in the February 2025 Android Security Bulletin.
• CVE-2024-53197 – A flaw in the ALSA USB audio driver, allowing memory corruption.
• CVE-2024-50302 – A bug in the Linux kernel’s USB HID device driver, leaking kernel memory.

These vulnerabilities were first flagged by Amnesty International’s Security Lab and later confirmed by Google’s Threat Analysis Group. Patches are available for the first flaw, but Android devices have not received fixes for the other two yet, so they remain vulnerable.

Given that the exploit targeted fundamental Linux kernel drivers, its impact extends beyond Android devices, potentially affecting other Linux-based systems. As such, organizations relying on Linux OS are advised to apply the available updates as soon as possible.

Broader surveillance context in Serbia

The Serbian activist, identified under the pseudonym “Vedran,” was detained on December 25, 2024, following student protests in Belgrade. During his six-hour detention, plainclothes officers forcibly accessed his phone. Amnesty’s forensic analysis confirmed Cellebrite’s UFED was used to exploit the device before an attempt was made to install an unknown Android spyware app.

This case mirrors previous instances where Serbian authorities targeted activists and journalists with digital forensics tools. Amnesty’s A Digital Prison report led to legal actions by Serbian civil society organizations, including criminal complaints against police and intelligence agencies. However, authorities have not responded to inquiries, and Cellebrite has not disclosed the full extent of its internal investigation.

Defense measures

Given that the exploit targeted fundamental Linux kernel drivers, its impact extends beyond Android devices, potentially affecting other Linux-based systems. Users and organizations should take the following precautions:

• Install the latest Android Security Bulletin patches addressing CVE-2024-53104.
• Use USB security settings to prevent unauthorized data access, particularly when devices are locked.
• Strengthen device security by enabling encryption and strong PINs to mitigate unauthorized forensic extractions.
• Regularly check for unknown apps or logs indicating unauthorized access attempts.

Amnesty International calls for stronger regulations on forensic tools and for Cellebrite to implement stricter human rights due diligence to prevent misuse of its technology. The organization urges an independent investigation into Serbia’s digital surveillance practices and demands accountability for ongoing rights violations.