Serbian Student Activist's Phone Hacked Using Cellebrite Zero-Day Exploit

A shocking incident has come to light, involving a Serbian student activist whose Android phone was hacked using a zero-day exploit developed by Cellebrite. Amnesty International has reported that the police used this exploit to unlock and infect the phones of a journalist and activist, raising serious concerns about the misuse of surveillance technology.

According to the report published on February 25, 2025, Cellebrite announced that it had blocked Serbia from using its solution after reports emerged that the police had used the company's digital forensic equipment to target civil society activists and independent journalists critical of the government. The exploit targeted Android USB drivers, developed by Cellebrite, which allowed users to bypass lock screens with physical access.

"The exploit, which targeted Linux kernel USB drivers, enabled Cellebrite customers with physical access to a locked Android device to bypass an Android phone's lock screen and gain privileged access on the device. As the exploit targets core Linux kernel USB drivers, the impact is not limited to a particular device or vendor and could affect a very wide range of devices," said Amnesty International's Security Lab in their report.

The vulnerability CVE-2024-53104 (CVSS score: 7.8) is a privilege escalation security flaw in the Kernel's USB Video Class driver, which could be exploited to elevate privileges in low-complexity attacks. The issue stems from improper parsing of UVC_VS_UNDEFINED frames, causing miscalculation of the frame buffer size and potentially leading to arbitrary code execution or denial-of-service attacks.

A 23-year-old student activist (named Vedran to preserve his privacy) was attending a ruling party event in Serbia on December 25, 2024. Upon arrival, he was forcibly taken by seven plainclothes men, interrogated for six hours at a Belgrade police station, and pressured to unlock his phone. He refused, but his phone was taken and later returned switched off at 12:45 AM.

Amyesn International documented the incident and conducted forensics analysis on Vedran's Samsung Galaxy A32. The analysis found clear evidence of exploitation which Amnesty International can confidently attribute to the use of Cellebrite's UFED product. The logs also show that the Cellebrite product enabled the authorities to successfully gain privileged root access to the phone and to unlock the device.

A Call for Urgent Action

"Amnesty International’s Security Lab performed a forensic analysis on 'Vedran’s' Samsung Galaxy A32 to check if the device was tampered with while 'Vedran' was detained at the police station. The forensic analysis found clear evidence of exploitation which Amnesty International can confidently attribute to the use of Cellebrite's UFED product," continues the report.

Earlier this week, the Israeli company Cellebrite announced that it is suspending the provision of its technology to Serbia due to reports of abuse by local police. The company stated that they assess countries they do business with - both on an annual and ad-hoc basis due to political and cultural shifts.

"We found it appropriate to stop the use of our products by the relevant customers at this time," reads the announcement. "Our robust compliance and ethics program is designed so that democratized nations around the globe use our technology ethically and lawfully – all paramount to our mission of accelerating justice, safeguarding communities and helping to save lives."

Donncha Ó Cearbhaill, Head of the Security Lab at Amnesty International, said "This decision reinforces Amnesty International’s December findings that Serbian police and intelligence routinely misused Cellebrite's digital forensic equipment outside legally sanctioned processes to target civil society activists and independent journalists critical of the government."

"Withdrawing licences from customers who misused the equipment for political reasons is a critical first step. Now, Serbian authorities must urgently conduct their own thorough and impartial investigations, hold those responsible to account, provide remedies to victims and establish adequate safeguards to prevent future abuse," added Donncha Ó Cearbhaill.

"Any further exports of surveillance or digital forensics technology to Serbia must be stopped until the authorities have implemented an effective and independent system of control and oversight over any measures that could restrict people’s right to privacy, freedom of expression or peaceful assembly," added Donncha Ó Cearbhaill.