Popular Android browsers open to hackers

Zero-day flaws found in Dolphin and Mercury Android browsers could allow hackers to perform remote code execution, according to security researchers.

Both browsers are available on Android devices with over 100 million downloads between the two. According to a security researcher who goes by the nickname of Rotlogix, the Dolphin remote code execution exploit allows a hacker to replace the browser's theme package with an infected counterpart.

"An attacker with the ability to control the network traffic for users of the Dolphin browser for Android, can modify the functionality of downloading and applying new themes for the browser," Rotologix said in a blog post. "Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user's device."

Another browser called Mercury has an “insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. 

“Chaining these vulnerabilities together can allow a remote attacker to perform arbitrary reading and writing of files within the Mercury Browser's data directory,” Rotlogix said on another blog posting.

Rotlogix has contacted developers of both browsers who have since released patches for the vulnerabilities.

Bryan Lillie, chief technical officer of Cyber Security at QinetiQ told that for an IT department managing many user profiles, the safest bet is always to use widely recognised software. “Products that are well established and widely used are more likely to have good security built in and more likely to be regularly patched,” he said.

“Security and patching infrastructure is less clear on more niche products. So unless you are sure of the product, they are best avoided, especially in large corporate environments,” he added.

“Of course BYOD makes it ever harder to control who uses what. So in addition to choosing the most secure software as your company standard, you also need considered security policies regarding what people can do with personal devices connected to the network, and to be clear about where your data is stored and who has access to it,” said Lillie.

Nick Walker, head of Mobile Practice at MWR InfoSecurity, told that code execution vulnerabilities in any application are high risk, as exploitation of these bugs results in an attacker being able to do anything that the vulnerable application has the permissions to do, which in this case includes things like recording the microphone input, and accessing the user's media (pictures, downloads, etc).

“This being said, an attack of this type would not allow a complete compromise of a handset without the existence of another privilege escalation vulnerability on the device,” he said.

“The bug that has been identified would not lead to remote code execution under normal circumstances. It has been achieved through two separate bugs that have been chained together,” added Walker.

Walker said that for the first bug; an arbitrary file write, the application uses zip files to store the theme files, but at the same time the application does not validate the zip file contents, “which allows an attacker to force the application to extract files to any location that the dolphin browser has write access to”.

In the second bug, the application loads a library file from its local data directory.

“Normally the Android OS itself deals with the deployment and loading of native library files which prevent them being overwritten, as they are read only, with the exception of an official app store update. In this case, the developers of the application have chosen to do this in a non-standard way, and loads the file from its own, writeable directory,” said Walker.

“Combining these two issues, an attacker can use the arbitrary write to replace the native library and cause the application to load their own code.”

Walker added that as the browser up until now has not been patched it should not pose that much of a problem. “It only becomes an issue if this vulnerability is not patched in a timely manner. It's not clear from the author of the vulnerability if this was disclosed in advance and they have neglected to patch it, or whether the Dolphin Browser developers have been informed on a very short timescale.

Walker recommended  following responsible disclosure policies, whereby the developer is notified long before a vulnerability is made public, allowing adequate time to patch any issue.

This story originally appeared on

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.