Cellebrite Unlocked This Journalist’s Phone. Cops Then Infected it With Malware

horde

https://www.404media.co/cellebrite-unlocked-this-journalists-phone-cops-then-infected-it-with-malware/

Archive if paywalled: https://archive.is/pzfZX

Amnesty also says it, along with researchers at Google, discovered a vulnerability in a wide spread of Android phones which Cellebrite was exploiting. Qualcomm, the impacted chip manufacturer, has since fixed that vulnerability. And Amnesty says Google has remotely wiped the spyware from other infected devices.

Google Project Zero analysis: https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html

In the conclusion Google writes:

It took less than 3 months of research to discover 6 separate bugs in the adsprpc driver, two of which (CVE-2024-49848 and CVE-2024-21455) were not fixed by Qualcomm under the industry standard 90-day deadline. Furthermore, at the time of writing, CVE-2024-49848 remains unfixed 145 days after it was reported. Past research has shown that chipset drivers for Android are a promising target for attackers, and this ITW exploit represents a meaningful real-world example of the negative ramifications that the current third-party vendor driver security posture poses to end-users. A system’s cybersecurity is only as strong as its weakest link, and chipset/GPU drivers represent one of the weakest links for privilege separation on Android in 2024. Improving both the consistency and quality of code and the efficiency of the third-party vendor driver patch dissemination process are crucial next steps in order to increase the difficulty of privilege escalation on Android devices.

DeletedUser182

Would MTE have prevented this?

final

DeletedUser182 Many of the vulnerability examples are memory corruption, like use-after-free, so MTE and other relevant memory exploit mitigations would have helped. OEMs need to move towards defaulting MTE to increase the difficulty of such dangerous attacks.

This article is another example why GrapheneOS cares about memory corruption so much. MTE is the largest security enhancement we have.

Small edit for clarification: Despite all these technical details it is still a trivial way to get infected. Cellebrite unlocks the device, and with that unlocked access the user installs spyware on the device. By the sounds of things the malware needed input from a malicious user or access by a cooperator to be installed. Using numerous new ITW exploits is still extremely dangerous though.

They patched these vulnerabilities which is great, but that won't change that a party having those tools will be able to have total control on vulnerable devices that Cellebrite has exploits to unlock. If they have your credentials, what data that was on there is no longer private to you, zero-day malware or otherwise. OEMs need to focus on not just patching the exploits the spyware tools use, but the exploits the tools that allow them the access to install malware in the first place.

MTE protects against both of these and evidently that technology has inhibited Cellebrite from succeeding.