In the first calendar week of February , Google publish its usual Android Security Bulletin , detailing security flaw that have been plugged to strengthen the platform safety . These fault are usually declared once they have been fixed , except in especial circumstances .

February is one of those rare situations for a kernel - level , high-pitched - severity flaw that was still being actively exploited at the time of the bulletin ’s release . “ There are indications that CVE-2024 - 53104 may be under modified , targeted development , ” sound out therelease note .

The flaw was first report by expert atAmnesty International , which describes it as an “ out - of - bound write in the USB Video Class ( UVC ) driver . ” The researchers summate that since it ’s a core - level feat , it touch on over over a billion Android gimmick , regardless of the sword label .

Since it ’s a zero - sidereal day effort , only the assailant know of its existence , unless security measure experts sense its presence , rise a fix with the platform ’s team , and then widely release it for all strike devices . Two other exposure , CVE-2024 - 53197 and CVE-2024 - 50302 , have been fix at the kernel - level , but have n’t been completely patched at an OS - level by Google

The impact pool is vast

The pool of affected gadget is the Android ecosystem , while the attempt transmitter is a USB interface . Specifically , we are talking about zero - Clarence Day exploits in the Linux kernel USB drivers , which reserve a bad actor to bypass the Lock Screen protection and gain deep - tier privileged access to a phone via a USB connection .

In this pillowcase , a cock offered by Cellebrite was reportedly used to unlock the earphone of a Serbian scholarly person activist and benefit access to data stored on it . Specifically , a Cellebrite UFED kit was deployed by jurisprudence enforcement officials on the scholar activist ’s phone , without informing them about it or taking their expressed consent .

Amnesty says the exercise of a tool like Cellebrite — which has been abused to target journalists and activists widely — was not lawfully sanctioned . The phone in interrogative was a Samsung Galaxy A32 , while the Cellebrite gadget was able to break past its Lock Screen protection and attain root access code .

“ Android vender must desperately strengthen defensive certificate features to mitigate threats from untrusted USB connections to locked twist , ” say Amnesty ’s composition . This wo n’t be the first metre that the name Cellebrite has appear in the news .

refresh your Android smartphone . ASAP !

The company sells its forensic analysis tool to jurisprudence enforcement and Union agencies in the US , and multiple other body politic , allow them bestial - force their way into devices and extract critical data .

In 2019 , Cellebrite claimed that it couldunlock any Android or Apple deviceusing its Universal Forensic Extraction machine . However , it has also raise honorable concerns and privacy warning equipment about unjust usage by authorities for surveillance , harassment , and targeting of whistleblower , diary keeper , and militant .

A few calendar month ago , Apple also quietlytightened the surety protocols with iOS 18.1 update , with the design of blocking unauthorized admission to locked smartphones and keep exfiltration of sensitive selective information .