InfoSecBulletin Cybersecurity for mankind
Amnesty International’s Security Lab discovered a cyber-espionage campaign in Serbia, where officials used a zero-day exploit from Cellebrite to unlock a student activist’s Android phone.
On December 25, 2024, an attack used flaws in Linux kernel USB drivers to bypass the lock screen on a Samsung Galaxy A32.
WhatsApp banned on all US House of Representatives devices
Kaspersky found “SparkKitty” Malware on Google Play, Apple App Store
OWASP AI Testing Guide Launched to Uncover Vulns in AI Systems
Axentec Launches Bangladesh’s First Locally Hosted Tier-4 Cloud Platform
Hackers Bypass Gmail MFA With App-Specific Password Reuse
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Forensic analysis showed that vulnerabilities in an outdated USB driver were exploited to gain root access, allowing data theft and attempts to install surveillance software. This incident highlights the misuse of digital forensics tools on civil society and reveals significant weaknesses in Android’s defenses against physical attacks.
Exploit Chain Targets, USB Driver:
The attack used a complex series of fake USB devices to exploit memory corruption issues in the Linux kernel. Forensic logs reveal that authorities connected several harmful devices using Cellebrite’s Turbo Link adapter, including:
A Chicony CNF7129 UVC Webcam (VID:0x04f2) exploiting CVE-2024-53104, an out-of-bounds write in the USB Video Class driver’s frame-rate restriction quirk.
A Creative Extigy SoundBlaster (VID:0x041e) leveraging CVE-2024-53197, which allowed descriptor corruption during ALSA sound card initialization.
An Anton Touch Pad (VID:0x1130) exploiting CVE-2024-50302 to leak uninitialized kernel memory via HID reports.
These vulnerabilities, fixed in Linux kernel versions 6.6 and in the February 2025 Android Security Bulletin, originated from code written between 2010 and 2013.
Attackers exploited vulnerabilities to gain higher privileges, as kernel logs indicate root shell access occurred just 10 seconds after connecting the last USB HID device.
A 23-year-old student named “Vedran” was detained by plainclothes officers during protests against Serbia’s ruling party in December 2024. Device logs support his claims.
Post-exploitation activity included file system enumeration using find/grep and deployment of Cellebrite’s “falcon” binary for advanced data extraction. While the target APK installation failed due to a biometric lockout, the breach exposed call logs, messages, and protest coordination details.
Google’s Threat Analysis Group worked with Amnesty to address three CVEs, resulting in patches. However, more than 40% of Android devices were still unpatched as of March 2025 because of uneven vendor update cycles. On February 25, 2025, Cellebrite suspended its Serbian clients, stating:
“We found it appropriate to stop use of our products by relevant customers… Our compliance program ensures ethical, lawful use.”
Critics say the measure is not transparent because Cellebrite hasn’t revealed how long its suspension will last or the human rights protections for reinstatement. The company’s Premium UFED toolkit is still in use in 78 countries, despite reports of abuse in 12 states since 2022.
