Due to added security layers on cell units resembling utility sandboxing, exploitation normally requires chaining a number of vulnerabilities collectively to realize distant code execution with elevated privileges. Cellular units, together with cell browsers, are significantly focused by business surveillance distributors (CSVs) who promote their merchandise to governments and intelligence businesses. These clients usually search to acquire data from their surveillance targets’ cellphones, both remotely or by means of bodily entry.
One instance is an exploit chain that mixed three vulnerabilities to unlock the seized Android cellphone of a scholar activist in Serbia final 12 months with a product developed by Cellebrite, an Israeli digital forensics firm. One of many vulnerabilities used within the chain, CVE-2024-53104, impacts the Android USB Video Class (UVC) kernel driver and was patched in February. The opposite two vulnerabilities, CVE-2024-53197 and CVE-2024-50302, had been patched within the Linux kernel, which Android relies on.
“Whereas we nonetheless anticipate government-backed actors to proceed their historic position as main gamers in zero-day exploitation, CSVs now contribute a major quantity of zero-day exploitation,” the Google GTIG researchers mentioned. “Though the full rely and proportion of zero-days attributed to CSVs declined from 2023 to 2024, probably partly on account of their elevated emphasis on operational security practices, the 2024 rely remains to be considerably increased than the rely from 2022 and years prior.”
