Google’s Latest Android Fuck-Up: How Your Lock Screen Became an Optional Suggestion

Written By Noel Bradford

Right then — gather round and let me tell you the delightful tale of how Android security got pantsed in front of a billion people.**

Google, the absolute geniuses they are, just patched CVE-2024-43093 and CVE-2024-50302, two critical security holes so gaping you could fly a Ryanair 737 through them. These weren’t just your bog-standard "oops we left a debug mode on" flaws — oh no, these beauties let anyone with a cable and bad intentions walk past your lock screen like they were invited in for tea.

What Went Wrong? Everything.

First up — CVE-2024-43093 — a lovely flaw in Android’s DocumentsUI. This is the bit of Android that handles files, and apparently, also handles security like a drunk intern on their first shift. The flaw lets any malicious app rummage through your files like a crackhead in a Poundland bargain bin. But that’s just the appetiser.

The main course? CVE-2024-50302 — a spectacular cock-up in the Linux kernel’s HID driver. That’s the bit responsible for handling USB devices like keyboards and mice. Except, if you plug in something specially crafted (read: dodgy as fuck), it lets the attacker scoop up tasty bits of kernel memory — encryption keys, passwords, whatever happens to be lying around.

In other words, your phone’s security just got groped through the USB port.

Who’s at Risk? Spoiler: You Are.

If your phone runs Android 12, 13, 14, or 15 — so basically every device anyone has actually heard of — congratulations! You’re vulnerable. That’s over a billion devices out there, just waiting to be digitally mugged by anyone with a naughty USB stick. That includes every overpriced flagship from Samsung, Google, and whoever else still bothers making Android phones.

Enter Cellebrite: The Bastards’ Swiss Army Knife

Here’s where it gets even better. Do you know who loved these vulnerabilities? Cellebrite — the "digital forensics" company that sells phone hacking toys to cops. Amnesty International, who frankly deserves a pint for this one, uncovered forensic logs proving that Serbian police used Cellebrite’s UFED to exploit these exact flaws to break into activists’ phones.

That’s right — the state-sponsored stalkers at the Serbian police plugged in their Cellebrite magic dongle, which promptly danced through Android’s defences like a pissed-up stag do crashing a wedding. It unlocked the phone, dumped all the data, and even tried to install spyware for good measure.

And Google? They didn’t notice. Because Google’s security auditing is apparently done by a fucking labrador with cataracts.

Physical Access = Game Over

This whole episode proves something security people have been screaming about for decades: if someone gets physical access to your device and your software is Swiss cheese, you’re toast. Google keeps waffling about "secure elements" and "Titan chips" and whatever bollocks they put in press releases, but it means fuck all if the phone can’t defend itself from a weaponised USB stick.

You might think: "Well, just avoid getting arrested in Serbia!" But guess what? The same techniques could be used by border agents, corrupt employees, or any dodgy bastard who gets hold of your phone for five minutes. The friendly "free charging station" at the airport? Yeah, that’s now a security Russian roulette machine. Hope your holiday snaps were worth it.

Google’s ‘Patch Now’ Advice (Which No One Will Follow)

Of course, Google rushed out a patch in March 2025 after Amnesty rubbed their noses in this like a puppy who shat on the carpet. The fix went into the March Android Security Bulletin — but good luck actually getting it if you bought a phone from anyone other than Google. Android updates are like pissing into the wind — if the manufacturer can’t be arsed, you’re left standing there with your trousers down.

And let’s be honest — the average user doesn’t even know what a "security patch level" is. "About Phone > Android Version > Security Patch" might as well be a secret menu in a nuclear submarine. So, most people? They’re just wandering around with a one shady cable away from broadcasting their entire life to anyone who wants it.

Cellebrite — The Real MVP (Malicious Violation Professionals)

The real villain here is Cellebrite, whose entire business model is "turning phone security bugs into revenue". They package up these exploits like a Christmas selection box for authoritarian regimes, slap a shiny forensic label on it, and pretend they’re the good guys.

When they got caught, they did their usual "oh, we only sell to ethical law enforcement" routine — which is complete horseshit. Serbian police, ethical? Pull the other one.

Cellebrite’s kit doesn’t just unlock phones for investigations — it hands oppressive governments a free pass to spy on anyone they feel like. Activists, journalists, political opponents — all fair game. It’s not digital forensics. It’s state-sponsored burglary with a user manual.

What You Should Do (Besides Drinking Heavily)

  1. Update your phone if you can. If your phone is too old to get updates? It’s a digital time bomb — bin it.

  2. Never, ever plug your phone into a random USB port. That "free charging station" is now a crime scene waiting to happen.

  3. If you’re at risk — encrypt everything, shut the phone down if you’re worried, and treat every USB cable like it’s dipped in anthrax.

  4. If you do get arrested in Serbia — throw your phone into the nearest body of water and claim you only own a Nokia 3310.

The Bottom Line

This is not just a "oops, update your phone" situation. This is Google, Android OEMs, and Cellebrite being caught with their pants down, dancing around with your private data in full view.

  • Google built a house with no locks.

  • Cellebrite handed burglars the blueprint and a battering ram.

  • And Serbian police couldn’t wait to kick the door in.

Security is not optional. Physical access should not equal ‘instant root’. And for the love of sanity, stop treating USB devices like they’re harmless. They’re not. They’re f**king weaponised plumbing, and this time the leak drowned a billion phones.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

YouTube Phishing Scam – Deepfake CEO Videos Hijacking Creators’ Accounts
Next

Cyber Essentials Is Changing in April 2025 — Here’s What You Need to Know (Before It Bites You)