Due to the added security layer on mobile devices such as application sandboxes, development often requires linking multiple vulnerabilities together to enable remote code execution with increased privileges. Mobile devices, including mobile browsers, are particularly commercial surveillance providers (CSVs), who sell their products to governments and intelligence agencies. These customers often seek to obtain information from monitored target phones remotely or through physical access.
One example is a vulnerability chain that combines three vulnerabilities to unlock Android phones captured by Serbian student activists last year and a product developed by Israeli digital forensics company Cellebrite. One of the vulnerabilities used in CVE-2024-53104 affects Android USB Video Class (UVC) kernel drivers and was patched in February. The other two vulnerabilities are CVE-2024-53197 and CVE-2024-50302, which have been patched in the Android-based Linux kernel.
“Although we still expect government-backed actors to continue to play historic roles as key players in zero-day development, CSV now contributes a lot of zero-day exploitation,” Google GTIG researchers said. “Although the total and proportion of zero-weeks attributed to CSVs declined from 2023 to 2024, which may be partly due to their growing emphasis on operational security practices, the 2024 count remains higher than those in 2022 and previous years.”
