Amnesty International said Google fixed a previously unknown flaw in Android, allowing authorities to use forensic tools to unlock phones.
On Friday, Amnesty International published a report detailing the three zero-day vulnerabilities chains developed by phone unlocking company Cellebrite, which researchers discovered after investigating a hack of phones by student protesters in Serbia. According to the report, the defect was found in the core Linux USB kernel.
Zero Day is a bug in a product that is not known to the software or hardware manufacturer when it is discovered. Zero Day allows criminals and government hackers to infiltrate their systems in a more effective way, as they don't have a patch to fix yet.
In this case, Amnesty said it first found traces of the defect in the mid-2024 case. Then, last year, after investigating the hacks of Serbian student activists, the organization shared its findings with Google's Hacking Anti-Hacking Unit Threat Analysis Group, which prompted researchers at the company to identify and correct three separate flaws.
While investigating activists' mobile phones, Amnesty researchers discovered a USB exploit that allowed Serbian authorities to use the Serbrite tool to unlock activists' phones.
When contacted in the comments, Cellebrite spokesman Victor Cooper mentioned a statement the company released earlier this week.
In December, Amnesty reported that Serbian authorities discovered two cases of unlocking mobile phones for activist and journalist using Celbrite's forensic tools, and then installed Android spyware known as Nobispie. Earlier this week, Celebrity announced that Serbian customers have stopped using the technology in accordance with allegations of abuse revealed by the amnesty.
“After reviewing the claims filed by the Amnesty International Report in December 2024, Celebrite took accurate steps to investigate each claim in accordance with our ethics and integrity policies. At this point, we have found it appropriate to cease use of the product by related customers,” Cellebrite wrote in a statement.
Is there any more information about government spyware and its manufacturers? From non-work devices, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or send an email. You can also contact TechCrunch via SecureDrop.
In a new report, Amnesty said it was contacted in January to analyze the equipment of a youth activists who were arrested by Serbian Security Intelligence Agency (Bezbedonosno-informativna argencija or bia) late last year.
“The circumstances of his arrest and the actions of BIA officials were strongly in line with the modalities used against protesters and those recorded in the December report. A forensic investigation of the device conducted in January confirmed the use of celebrity lights on student activists' phones,” Amnesty wrote.
Like in other cases, authorities used Cellebrite devices to unlock activist Samsung A32 phone “without his knowledge or consent, and outside of legally approved investigations.”
“The seemingly everyday use of Celebrite software on people to exercise their rights to freedom of expression and peaceful assembly is by no means a legitimate purpose,” Amnesty wrote. “Therefore, it violates human rights law.”
Bill Marczak, a senior researcher at Citizen Lab, a digital rights group investigating Spyware, wrote that because of these vulnerabilities, “authors (protests, borders, etc.) should consider switching to the iPhone.”
Referring to Cellebrite's tools, Donchanó Cearbhaill, head of Amnesty's security lab, told TechCrunch “the widespread availability of such tools is fearful that it will only scratch the surface of harm from these products.”
Google did not immediately respond to requests for comment.