Researchers uncover unknown Android flaws used to hack into a student’s phone

Amnesty International said that Google fixed previously unknown flaws in Android that allowed authorities to unlock phones using forensic tools.

On Friday, Amnesty International published a report detailing a chain of three zero-day vulnerabilities developed by phone-unlocking company Cellebrite, which its researchers found after investigating the hack of a student protester’s phone in Serbia. The flaws were found in the core Linux USB kernel, meaning “the vulnerability is not limited to a particular device or vendor and could impact over a billion Android devices,” according to the report. 

Zero-days are bugs in products that when found are unknown to the software or hardware makers. Zero-days allow criminal and government hackers to break into systems in a way that’s more effective because there is no patch that fixes them yet. 

In this case, Amnesty said that it first found traces of one of the flaws in a case in mid-2024. Then, last year, after investigating the hack of a student activist in Serbia, the organization shared its findings with Google’s anti-hacking unit Threat Analysis Group, which led the company researchers to identify and fix the three separate flaws.

During the investigation into the activist’s phone, Amnesty researchers found the USB exploit, which allowed Serbian authorities, with the use of Cellebrite tools, to unlock the activist’s phone.  

When reached for comment, Cellebrite spokesperson Victor Cooper referred to a statement that the company published earlier this week. 

In December, Amnesty reported that it had found two cases where Serbian authorities had used Cellebrite forensic tools to unlock the phones of an activist and a journalist, and subsequently installed an Android spyware known as Novispy. Earlier this week, Cellebrite announced that it had stopped its Serbian customer from using its technology following the allegations of abuse uncovered by Amnesty.

“After a review of the allegations brought forth by the December 2024 Amnesty International report, Cellebrite took precise steps to investigate each claim in accordance with our ethics and integrity policies. We found it appropriate to stop the use of our products by the relevant customers at this time,” Cellebrite wrote in its statement. 

In the new report, Amnesty said it was contacted in January to analyze the device of a youth activist arrested by the Serbian Security Information Agency (Bezbedonosno-informativna agencija or BIA) at the end of last year. 

“The circumstances of his arrest, and the behavior of the BIA officers, strongly matched the modus operandi that was used against protesters and that we documented in our report in December. A forensic investigation of the device conducted in January confirmed the use of Cellebrite on the student activist’s phone,” Amnesty wrote.

Like in the other cases, the authorities used a Cellebrite device to unlock the activist’s Samsung A32 phone “without his knowledge or consent, and outside a legally sanctioned investigation,” according to Amnesty.   

“The seemingly routine use of Cellebrite software against people for exercising their rights to freedom of expression and peaceful assembly can never be a legitimate aim,” Amnesty wrote, “and therefore is in violation of human rights law.”

Bill Marczak, a senior researcher at Citizen Lab, a digital rights organization that investigates spyware, wrote on X that activists, journalists, and members of civil society “who might have their phone seized by authorities (protest, border, etc.) should consider switching to iPhone,” because of these vulnerabilities. 

Referring to Cellebrite’s tools, Donncha Ó Cearbhaill, the head of Amnesty’s Security Lab, told TechCrunch that “the far-reaching availability of such tools leaves me fearing that we are just scratching the surface of harms from these products.”

Google did not immediately respond to a request for comment.