Google has quietly patched a set of previously unknown Android vulnerabilities that allowed forensic tools to unlock phones without user consent. The discovery was made by Amnesty International, which found that Serbian authorities had used these exploits to gain access to a student protester’s phone.
The vulnerabilities, identified as a chain of three zero-day flaws, were discovered in the core Linux USB kernel, meaning they were not limited to a single Android device or manufacturer. According to Amnesty’s report, the flaws could have affected over a billion Android devices worldwide.
Zero-day vulnerabilities are particularly dangerous because they remain unknown to software or hardware developers until they are discovered and exploited. Since no patches exist at the time of discovery, hackers—including both criminal groups and government agencies—can use them to break into systems without triggering security defenses.
>>>EB-BA205ABU for Samsung EB-BA205ABU
Amnesty first detected traces of one of these flaws in mid-2024 but did not fully understand its scope until later that year. A deeper investigation into the hacking of a student activist’s phone in Serbia provided further evidence that authorities had used Cellebrite’s forensic tools to bypass Android security. Amnesty then shared its findings with Google’s Threat Analysis Group, which led to the discovery and patching of three separate security flaws.
Cellebrite, an Israeli company known for developing phone-unlocking tools for law enforcement, was at the center of the controversy. Amnesty found that Serbian authorities had used Cellebrite’s technology to unlock the activist’s phone without his knowledge or consent. The case raised concerns about how such tools are being deployed against journalists, activists, and human rights defenders.
This was not the first time Amnesty had identified the misuse of Cellebrite’s tools. In December 2024, the organization reported that Serbian authorities had used Cellebrite’s forensic technology to unlock the phones of both an activist and a journalist. The report also revealed that after unlocking the devices, authorities installed NoviSpy, an Android spyware designed for surveillance.
Following these allegations, Cellebrite announced earlier this week that it had terminated its relationship with its Serbian customers, citing ethical concerns. The company released a statement saying it had reviewed Amnesty’s findings and decided to stop providing its products to the Serbian government for the time being.
Amnesty’s latest report details another case in which Serbian authorities used Cellebrite’s tools to gain access to a Samsung A32 phone belonging to a youth activist. The activist had been arrested by Serbia’s Security Information Agency (BIA) at the end of 2024. Amnesty found that the tactics used in his arrest closely resembled those documented in its previous report, further reinforcing concerns about targeted surveillance against political dissidents.
Amnesty strongly condemned the use of such forensic tools for suppressing free speech and peaceful assembly, arguing that these actions violate fundamental human rights. The organization emphasized that using Cellebrite’s software in this way cannot be justified under any legitimate legal framework.
>>>BA4050 for UniStrong BA4050 GPS
The discovery of these vulnerabilities has reignited discussions about the security of Android devices, particularly for individuals who may be at risk of government surveillance or digital repression.
Bill Marczak, a senior researcher at Citizen Lab, urged activists, journalists, and civil society members to consider switching to iPhones, which he suggested might offer stronger protection against forensic unlocking tools.
Donncha Ó Cearbhaill, head of Amnesty’s Security Lab, warned that Cellebrite’s technology is more widely available than many realize. He expressed concern that the issue may extend beyond Serbia and could be affecting activists in multiple countries.
With Google now having patched the vulnerabilities, the immediate threat has been mitigated. For individuals concerned about digital privacy, keeping devices updated, using strong passcodes, and relying on end-to-end encrypted messaging apps remain critical defenses. However, as long as forensic tools like Cellebrite’s exist, the risk of unauthorized phone access—especially in politically sensitive cases—remains a pressing issue.