Researcher discovers zero-day flaws in Dolphin and Mercury browsers for Android

Zero-day vulnerabilities in Dolphin and Mercury browsers for Android

While we are fixated on Chrome and Firefox browsers in Android smartphones and tablets, there are many other browsers available for Android devices. These browsers may not be as popular as Chrome or Firefox, they have their own fan following.

One of the browsers is Dolphin for Android. This browser is mildly popular among Android users with around 5 million downloads. A self confessed Java nerd, @rotlogix has discovered a zero-day in Dolphin browser which can be exploited by hackers to remotely execute files.

The flaw in Dolphin lies in the way it download and applies themes. An attacker with the ability to control the network traffic for users of the Dolphin Browser for Android, can modify the functionality of downloading and applying new themes for the browser. Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user’s device. The only user interaction this requires is selecting, downloading, and applying a new Dolphin Browser theme.

Rotlogix has given complete Proof-of-concept on his website here. He says that he has informed the Dolphin security team about the vulnerability. However, the Dolphin Browser page on Google Play suggests that it has not been updated since July 2015 suggesting it is still vulnerable to such attacks. If you are using Dolphin browser, you may be well advised not to download themes or apply them.

Rotlogix has also discovered a zero-day vulnerability in somewhat less popular Mercury browser for Android.  The Mercury Browser for Android suffers from an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. Chaining these vulnerabilities together can allow a remote attacker to perform arbitrary reading and writing of files within the Mercury Browser’s data directory.

In order to combine these vulnerabilities into one nice exploitation chain here are the steps that need to happen:

  • Serve a crafted HTML page to invoke the WiFi Manager Activity with the Intent URI scheme
  • Capture the IP address from the target device
    Poll until receiving notice of the Activity invocation
  • Exploit the path traversal vulnerability and exfiltrate files from browser’s data directory

Rotlogix says that its better to delete Mercury browser than use it with this vulnerability.