Within the first week of February, Google revealed its traditional Android Safety Bulletin, detailing safety flaws which were plugged to strengthen the platform security. These flaws are normally declared as soon as they’ve been fastened, besides in particular circumstances.
February is a type of uncommon conditions for a kernel-level, high-severity flaw that was nonetheless being actively exploited on the time of the bulletin’s launch. “There are indications that CVE-2024-53104 could also be beneath restricted, focused exploitation,” says the discharge be aware.
The flaw was first reported by specialists at Amnesty Worldwide, which describes it as an “out-of-bound write within the USB Video Class (UVC) driver.” The researchers add that because it’s a kernel-level exploit, it impacts overs over a billion Android units, no matter the model label.
Please allow Javascript to view this content material
Because it’s a zero-day exploit, solely the attackers know of its existence, except safety specialists sense its presence, develop a repair with the platform’s group, after which broadly launch it for all affected units. Two different vulnerabilities, CVE-2024-53197 and CVE-2024-50302, have been fastened on the kernel-level, however haven’t been utterly patched at an OS-level by Google
The influence pool is huge
The pool of affected units is the Android ecosystem, whereas the assault vector is a USB interface. Particularly, we’re speaking about zero-day exploits within the Linux kernel USB drivers, which permits a foul actor to bypass the Lock Display safety and achieve deep-level privileged entry to a cellphone by way of a USB connection.
On this case, a software provided by Cellebrite was reportedly used to unlock the cellphone of a Serbian scholar activist and achieve entry to information saved on it. Particularly, a Cellebrite UFED package was deployed by legislation enforcement officers on the scholar activist’s cellphone, with out informing them about it or taking their express consent.
Amnesty says the utilization of a software like Cellebrite — which has been abused to focus on journalists and activists broadly — was not legally sanctioned. The cellphone in query was a Samsung Galaxy A32, whereas the Cellebrite system was in a position to break previous its Lock Display safety and achieve root entry.
“Android distributors should urgently strengthen defensive safety features to mitigate threats from untrusted USB connections to locked units,” says Amnesty’s report. This received’t be the primary time that the identify Cellebrite has appeared within the information.
Replace your Android smartphone. ASAP!
The corporate sells its forensic evaluation instruments to legislation enforcement and federal companies within the US, and a number of different international locations, letting them brute-force their method into units and extract vital data.
In 2019, Cellebrite claimed that it may unlock any Android or Apple system utilizing its Common Forensic Extraction Machine. Nevertheless, it has additionally raised moral considerations and privateness alarms about unfair utilization by authorities for surveillance, harassment, and concentrating on of whistleblowers, journalists, and activists.
A number of months in the past, Apple additionally quietly tightened the safety protocols with iOS 18.1 replace, with the intention of blocking unauthorized entry to locked smartphones and stopping exfiltration of delicate data.
