Google discreetly addressed a USB vulnerability that had put more than a billion Android devices at risk.

      In the first week of February, Google released its standard Android Security Bulletin, which outlines various security vulnerabilities that have been addressed to enhance the safety of the platform. Typically, these vulnerabilities are disclosed only after they have been resolved, unless under exceptional circumstances.

      February presented one such rare instance involving a high-severity, kernel-level flaw that was still being actively exploited at the time the bulletin was issued. The release note mentions, “There are indications that CVE-2024-53104 may be under limited, targeted exploitation.”

      This flaw was initially reported by researchers at Amnesty International, which refers to it as an “out-of-bound write in the USB Video Class (UVC) driver.” They noted that, due to its kernel-level nature, it affects over a billion Android devices regardless of the brand.

      As it is a zero-day exploit, only the attackers are aware of its presence unless security experts detect it, collaborate with the platform’s team to develop a fix, and subsequently distribute it widely to all impacted devices. Additionally, two other vulnerabilities, CVE-2024-53197 and CVE-2024-50302, have been addressed at the kernel level, but have yet to be fully patched at the OS level by Google.

      The range of affected devices is extensive, as the Android ecosystem is susceptible, and the attack vector is a USB interface. Specifically, these zero-day exploits exist in the Linux kernel USB drivers, enabling malicious actors to circumvent Lock Screen protections and gain deep privileged access to a device through a USB connection.

      A Cellebrite device was reportedly utilized to unlock the phone of a Serbian student activist and access stored data. Specifically, law enforcement officials applied a Cellebrite UFED kit to the activist's phone without their knowledge or explicit consent.

      Amnesty International asserts that the use of a tool like Cellebrite—known for its misuse against journalists and activists—was not legally authorized. The device in question was a Samsung Galaxy A32, which the Cellebrite tool managed to unlock and gain root access to, bypassing its Lock Screen protection.

      “Android vendors must urgently strengthen defensive security features to mitigate threats from untrusted USB connections to locked devices,” states Amnesty’s report. This is not the first time Cellebrite has made headlines.

      Update your Android smartphone. ASAP!

      Cellebrite sells its forensic tools to law enforcement and federal agencies in the United States and several other nations, enabling them to forcefully access devices and extract critical information. In 2019, Cellebrite claimed it could unlock any Android or Apple device using its Universal Forensic Extraction Device. However, this has sparked ethical concerns regarding potential misuse by authorities for surveillance, harassment, and targeting whistleblowers, journalists, and activists.

      Recently, Apple quietly enhanced its security measures with the iOS 18.1 update to prevent unauthorized access to locked smartphones and to safeguard sensitive information from being extracted.