CyberSecurity news

FlagThis - #androidsecurity

Alex Lekander@CyberInsider //

Cellebrite Exploit Used to Unlock Android Phones - Serbian authorities used a Cellebrite-developed Android zero-day exploit chain to unlock a student activist's device and attempt to install spyware, prompting Google to fix the vulnerabilities and Cellebrite to suspend Serbia as a customer.
Serbian authorities reportedly used a Cellebrite-developed Android zero-day exploit chain to unlock the device of a student activist and attempt to install spyware. This exploit targeted vulnerabilities in Android, allowing authorities to bypass security measures. Amnesty International discovered the exploit after analyzing the student's phone, which prompted them to alert Google.

Google has since fixed three zero-day vulnerabilities in Android that were exploited by Cellebrite forensic tools. Following the reports of misuse for political reasons, Cellebrite blocked Serbia from further use of its solution. The company took action after claims emerged that the equipment was being used improperly.

Recommended read:
References :
  • infosec.exchange: NEW: Google fixed three zero-day vulnerabilities in Android that were used by authorities to unlock phones with Cellebrite forensic tools. The fixes come after Amnesty alerted Google, following the analysis of a Serbian student protester's phone.
  • bsky.app: Serbian authorities have reportedly used an Android zero-day exploit chain developed by Cellebrite to unlock the device of a student activist in the country and attempt to install spyware.
  • CyberInsider: Serbia Used Cellebrite Zero-Day Android Attack on Student Activist
  • securityaffairs.com: Cellebrite blocked Serbia from using its solution because misuse of the equipment for political reasons
  • techcrunch.com: Amnesty International said that Google fixed previously unknown flaws in Android that allowed authorities to unlock phones using forensic tools. On Friday, Amnesty International published a report detailing a chain of three zero-day vulnerabilities developed by phone-unlocking company Cellebrite, which its researchers found after investigating the hack of a student protester’s phone in Serbia. The
  • The Hacker News: Amnesty Finds Cellebrite’s Zero-Day Used to Unlock Serbian Activist’s Android Phone
  • infosec.exchange: Amnesty International has uncovered a sophisticated cyber-espionage campaign in Serbia, where authorities used Cellebrite kit with Linux USB CVE-2024-53104 exploit chained with 2 other CVEs to unlock the Android phone of a student activist
  • aboutdfir.com: Cellebrite cuts off Serbia over abuse of phone-cracking software against civil society
  • securityaffairs.com: Serbian student activist’s phone hacked using Cellebrite zero-day exploit
  • Talkback Resources: Cellebrite zero-day exploit used to target phone of Serbian student activist [app] [exp]
@The DefendOps Diaries //

Triada Trojan Preinstalled on Counterfeit Android Devices - A new version of the Triada trojan has been discovered preinstalled on thousands of counterfeit Android devices, allowing threat actors to steal data immediately after setup.
A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, raising significant cybersecurity concerns. This sophisticated malware, initially identified in 2016, has evolved to embed itself deeply into the Android system framework, making it difficult for users to detect or remove. Discovered on counterfeit versions of popular smartphone models sold at discounted prices through online stores, Triada poses a severe threat as it can steal user data immediately after device setup.

Triada's capabilities include stealing user data, such as social media and messenger accounts, and manipulating cryptocurrency transactions by replacing wallet addresses. The malware can also falsify caller IDs, monitor browser activity, and even activate premium SMS services. Experts warn that this new version infiltrates the device at the firmware level, indicating a compromised supply chain and urging users to exercise caution and purchase Android devices from reputable sources.

Recommended read:
References :
  • bsky.app: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • The DefendOps Diaries: Explore the threat of Triada malware in counterfeit Android devices and learn how to protect against this sophisticated cyber threat.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • www.it-daily.net: Triada Trojan discovered on counterfeit Android smartphones
  • PCMag UK security: Counterfeit Android Phones Preloaded With a Special Surprise: Malware
info@thehackernews.com (The Hacker News)@The Hacker News //

Google Patches Actively Exploited Android Kernel Zero-Day - Google released February 2025 Android security updates, patching 48 vulnerabilities, including an actively exploited zero-day kernel vulnerability (CVE-2024-53104) in the USB Video Class (UVC) driver.
Google has released the February 2025 Android security updates, patching a total of 48 vulnerabilities. Among these fixes is a critical zero-day kernel vulnerability, identified as CVE-2024-53104, which Google has confirmed is being actively exploited in the wild. This particular flaw is a privilege escalation issue found within the USB Video Class (UVC) driver, potentially allowing attackers to gain elevated permissions on affected devices.

The vulnerability, with a CVSS score of 7.8, stems from an out-of-bounds write condition within the "uvc_parse_format()" function of the "uvc_driver.c" program, specifically when parsing UVC_VS_UNDEFINED frames. This flaw, present since Linux kernel version 2.6.26 released in mid-2008, could lead to memory corruption, program crashes, or even arbitrary code execution. While the specific actors behind the exploitation remain unclear, the potential for "physical" privilege escalation raises concerns about misuse by forensic data extraction tools.

Recommended read:
References :
  • cyberinsider.com: Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks
  • BleepingComputer: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
  • securityaffairs.com: Google fixed actively exploited kernel zero-day flaw
  • The Hacker News: Google Patches 47 Android Security Flaws, Including Actively Exploited CVE-2024-53104
  • CyberInsider: Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks
  • ciso2ciso.com: Google fixed actively exploited kernel zero-day flaw
  • BleepingComputer: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
  • Pyrzout :vm:: Social post about google actively exploited kernel zero-day flaw.
  • www.bleepingcomputer.com: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
CISO2CISO Editor 2@ciso2ciso.com //

Android Enhances Theft Protection with Identity Check - Google introduced new theft protection features for Android, including Identity Check which requires biometric authentication for access to sensitive settings.
Google is introducing a new security feature called Identity Check for Android devices to combat theft. This feature locks sensitive settings, such as device and account passwords, behind biometric authentication when outside a trusted location. This prevents thieves from making unauthorized changes even if they possess the device's passcode. The intent is to safeguard user data and improve overall device security.

Identity Check requires biometric verification for accessing sensitive areas like performing factory resets, changing screen locks, adding new fingerprints, and disabling ‘Find My Device’. It also protects access to developer options and Google Password Manager. Initially, the feature will roll out to Samsung Galaxy devices eligible for One UI 7, both as part of the new OS and potentially on older versions in the near future. Non-Samsung users will receive the security update later in the year.

Recommended read:
References :
  • ciso2ciso.com: Android enhances theft protection with Identity Check and expanded features – Source:security.googleblog.com
  • discuss.privacyguides.net: New Android Identity Check locks settings outside trusted locations
  • AAKL: Android's New Identity Check Feature Locks Device Settings Outside Trusted Locations Google announcement:
  • Pyrzout :vm:: Android enhances theft protection with Identity Check and expanded features – Source:security.googleblog.com
  • security.googleblog.com: Android's New Identity Check Feature Locks Device Settings Outside Trusted Locations Google announcement:
  • BleepingComputer: Google has announced a new Android "Identity Check" security feature that lock sensitive settings behind biometric authentication when outside a trusted location.
  • www.bleepingcomputer.com: New Android Identity Check locks settings outside trusted locations
  • ciso2ciso.com: Android improves theft protection with Identity Check and additional features.
  • The Hacker News: Discussion of Android's new Identity Check feature and improved device security.

Posts

Blogs

Research Tools