Google quietly fixes a USB vulnerability affecting over one billion Android devices.

In the first week of February, Google released its usual Android Security Bulletin, detailing the vulnerabilities that have been patched to enhance the platform's security. Generally, these weaknesses are announced only after being resolved, with exceptions for special cases. This February has presented an unusual situation due to a high-risk kernel-level vulnerability that continued to be actively exploited at the time of the bulletin's publication. “There are indications that CVE-2024-53104 may be under limited and targeted exploitation,” the release note states.

The flaw was initially reported by experts from Amnesty International, who describe it as an "out-of-bounds write in the USB Video Class (UVC) driver." Researchers emphasize that, being a kernel-level exploit, it affects over a billion Android devices, regardless of the brand. Since it is a zero-day exploit, only attackers are aware of its existence unless security experts manage to identify it, develop a fix in collaboration with the platform's team, and ultimately distribute it to all affected devices.

Additionally, two other kernel-level vulnerabilities, CVE-2024-53197 and CVE-2024-50302, have been fixed, but Google has not yet fully patched them at the operating system level. The impact is broad, encompassing the Android ecosystem, while the attack vector utilizes a USB interface. These are zero-day exploits in the USB drivers of the Linux kernel, allowing an attacker to bypass lock screen protection and gain deep privileged access to a phone through a USB connection.

Recently, it was reported that a Cellebrite tool was used to unlock a Serbian student activist's phone and access the data stored on it. In this case, a Cellebrite UFED kit was employed by law enforcement officials on the activist's smartphone without informing them or obtaining their explicit consent. Amnesty highlights that the use of tools like Cellebrite, which have been misused to target journalists and activists, lacked legal authorization.

The affected device was a Samsung Galaxy A32, which the Cellebrite tool was able to access, breaking through the lock screen protection and obtaining root access. “Android vendors must urgently strengthen security defensive features to mitigate the threats of unreliable USB connections to locked devices,” the Amnesty report states.

This is not the first time Cellebrite has been mentioned in the news. The company sells its forensic analysis tools to law enforcement and federal agencies in the United States and other countries, enabling them to forcibly access devices and extract critical information. In 2019, Cellebrite claimed it could unlock any Android or Apple device using its Universal Forensic Extraction Device. However, its practices have raised ethical concerns and privacy alarms regarding its misuse by authorities for surveillance, harassment, and persecution of whistleblowers, journalists, and activists. A few months ago, Apple also quietly tightened security protocols with the iOS 18.1 update, aiming to block unauthorized access to locked phones and prevent the extraction of sensitive information.