Due to added safety layers on cellular gadgets reminiscent of software sandboxing, exploitation normally requires chaining a number of vulnerabilities collectively to attain distant code execution with elevated privileges. Cellular gadgets, together with cellular browsers, are significantly focused by business surveillance distributors (CSVs) who promote their merchandise to governments and intelligence businesses. These clients usually search to acquire data from their surveillance targets’ cell phones, both remotely or by bodily entry.
One instance is an exploit chain that mixed three vulnerabilities to unlock the seized Android telephone of a scholar activist in Serbia final 12 months with a product developed by Cellebrite, an Israeli digital forensics firm. One of many vulnerabilities used within the chain, CVE-2024-53104, impacts the Android USB Video Class (UVC) kernel driver and was patched in February. The opposite two vulnerabilities, CVE-2024-53197 and CVE-2024-50302, had been patched within the Linux kernel, which Android is predicated on.
“Whereas we nonetheless count on government-backed actors to proceed their historic position as main gamers in zero-day exploitation, CSVs now contribute a major quantity of zero-day exploitation,” the Google GTIG researchers mentioned. “Though the full rely and proportion of zero-days attributed to CSVs declined from 2023 to 2024, seemingly partly because of their elevated emphasis on operational safety practices, the 2024 rely remains to be considerably larger than the rely from 2022 and years prior.”
