Enterprise-specific zero-day exploits on the rise, Google warns

Because of added security layers on mobile devices such as application sandboxing, exploitation usually requires chaining multiple vulnerabilities together to achieve remote code execution with elevated privileges. Mobile devices, including mobile browsers, are particularly targeted by commercial surveillance vendors (CSVs) who sell their products to governments and intelligence agencies. These customers typically seek to obtain information from their surveillance targets’ mobile phones, either remotely or through physical access.

One example is an exploit chain that combined three vulnerabilities to unlock the seized Android phone of a student activist in Serbia last year with a product developed by Cellebrite, an Israeli digital forensics company. One of the vulnerabilities used in the chain, CVE-2024-53104, affects the Android USB Video Class (UVC) kernel driver and was patched in February. The other two vulnerabilities, CVE-2024-53197 and CVE-2024-50302, were patched in the Linux kernel, which Android is based on.

“While we still expect government-backed actors to continue their historic role as major players in zero-day exploitation, CSVs now contribute a significant volume of zero-day exploitation,” the Google GTIG researchers said. “Although the total count and proportion of zero-days attributed to CSVs declined from 2023 to 2024, likely in part due to their increased emphasis on operational security practices, the 2024 count is still substantially higher than the count from 2022 and years prior.”