Due to additional safety layers on mobile devices such as application sandboxing, exploitation usually requires multiple weaknesses simultaneously to achieve distance code execution with high privileges. Mobile devices, including mobile browsers, are targeted by commercial monitoring vendors (CSVs) that sell their products to governments and intelligence agencies. These customers usually want to get information from their monitoring target mobile phones either from distance or through physical access.
An example There is an exploitation chain that has combined three weaknesses to unlock the seized Android phone of a student worker in Serbia last year, with a product developed by a Israeli digital forensic company Celebrite. One of the weaknesses used in the series, CVE-2024-53104, Android USB video class (UVC) affects the kernel driver and was patched in February. The other two weaknesses, CVE-2024-53197 and CVE-2024-50302 were patches in Linux kernel, on which is based on Android.
Google GTIG researchers said, “While we still hope that the government-backed actors will continue their historical role as key players in zero-day exploitation, CSVs now contribute to a significant amount of zero-day exploitation.” “Although the total count of zero-day responsible for CSVS declined from 2023 to 2024, due to his increased emphasis on operating safety practices, 2024 count is still much higher than 2022 and years before the year’s count.”
