If you thought that there was no way the government could spy on your phone, the authorities in Serbia have some magic beans they’d like to sell you. Amnesty International has uncovered a case where a Serbian youth activist had their device unlocked by using an Android zero-day exploit. The good news? Google has fixed it.
Exploiting the exploit
According to the report, Cellebrite, an Israeli-based digital forensics company, exploited the flaw as part of an Android zero-day attack. The exploit targets Android USB drivers, making billions of Android devices vulnerable regardless of manufacturer.
But isn’t that the whole point? After all, Cellebrite is one of several tools law enforcement agencies around the world use to gain access to the locked phone of a suspect. However, it highlights the dangers of Cellebrite’s tools falling into the wrong hands.
It also reinforces the stand of companies like Apple. Law enforcement had previously asked the company to build a backdoor to access locked iPhones. Apple said it didn’t believe in “a backdoor just for the good guys.” It also said that these backdoors could be “exploited by those who threaten our national security and the data security of our customers.”
Smartphones encrypt data when locked, making it inaccessible without a PIN, password, or biometrics. This is why law enforcement turns to companies like Cellebrite to bypass these security measures.
Thankfully, though, this exploit has been fixed. Amnesty International discovered the exploit chain in mid-2024 while analyzing logs. However, Google shared a fix for the exploit with its partners in January 2025. The company also released a statement to BleepingComputer confirming the fix. “We were aware of these vulnerabilities and exploitation risk prior to these reports and promptly developed fixes for Android. Fixes were shared with OEM partners in a partner advisory on January 18.”
This isn’t the first time we’ve seen governments and law enforcement agencies spy on its own citizens. It won’t be the last time either. It’s up to companies like Google and Apple to stay ahead of these threats—before governments exploit them first.
