An independent mobile security researcher has discovered multiple vulnerabilities existing in two popular alternative Android browsers – Mercury and Dolphin.
Critical vulnerabilities have been detected in two commonly used Android browsers, including the tremendously popular Dolphin Android browser. The vulnerabilities could potentially allow an attacker to trigger remote code execution as well as arbitrary read/write access, reports The Register.
The vulnerabilities were identified by mobile security researcher Benjamin Watson, also known as ‘Rotlogix’. After the discovery, Rotlogix published entire descriptions in tandem with proof-of-concept code on both the affected browsers in his blog.
Not Stock, Still Popular Browsers
Although the browsers don’t come pre-installed like the stock Android browser, figures from the Google Play store show that the Dolphin browser has up to 100 million installs while the Mercury browser has about one million installs.
Related article: Tips for Protecting Data on Your Mobile Device
Rotlogix contacted the developers behind the applications and reported the vulnerabilities. The mobile researcher explains Dolphin can be exploited by simply manipulating the themes used in the browser with this attack:
“An attacker with the ability to control the network traffic for users of the Dolphin Browser for Android can modify the functionality of downloading and applying new themes for the browser.
Through the exploitation of this feature, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user’s device. The only user interaction this requires is selecting, downloading, and applying a new Dolphin Browser theme.”
With the expertise of some reverse engineering, the researcher noticed that Dolphin was designed to unzip and use a downloadable theme’s file. He proceeded to proxy the download traffic and inject a modified theme. This tweaked theme granted him the means to obtain an arbitrary write access to Dolphin’s data directory. With such privileges, he could create a crafted library that easily overwrites the one already present in the browser. Rotlogix calls this “full blown code execution.”
Dolphin is currently the third most popular alternative browser for Android after Chrome and Firefox. While an update was released on Monday, it is still unclear if it includes a patch for the remote code execution.
Mercury, on the other hand, has vulnerabilities with its Wi-Fi transfer feature. Rotlogix claims that an attacker could potentially “invoke private activities.” The bug includes reading data, downloads and uploads along with replacing files in the browser’s directory.
While the developers cook up a patch, Rotlogix is strongly recommending users try an alternative browser.