Zero-day vulnerabilities in Dolphin and Mercury browsers for Android

While we are fixated on Chrome and Firefox browsers in Android smartphones and tablets, there are many other browsers available for Android devices. These browsers may not be as popular as Chrome or Firefox, they have their own fan following.

One of the browsers is Dolphin for Android. This browser is mildly popular among Android users with around 5 million downloads. A self confessed Java nerd, @rotlogix has discovered a zero-day in Dolphin browser which can be exploited by hackers to remotely execute files.

The flaw in Dolphin lies in the way it download and applies themes. An attacker with the ability to control the network traffic for users of the Dolphin Browser for Android, can modify the functionality of downloading and applying new themes for the browser. Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user’s device. The only user interaction this requires is selecting, downloading, and applying a new Dolphin Browser theme.

Rotlogix has given complete Proof-of-concept on his website here. He says that he has informed the Dolphin security team about the vulnerability. However, the Dolphin Browser page on Google Play suggests that it has not been updated since July 2015 suggesting it is still vulnerable to such attacks. If you are using Dolphin browser, you may be well advised not to download themes or apply them.

Rotlogix has also discovered a zero-day vulnerability in somewhat less popular Mercury browser for Android.  The Mercury Browser for Android suffers from an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. Chaining these vulnerabilities together can allow a remote attacker to perform arbitrary reading and writing of files within the Mercury Browser’s data directory.

In order to combine these vulnerabilities into one nice exploitation chain here are the steps that need to happen:

  • Serve a crafted HTML page to invoke the WiFi Manager Activity with the Intent URI scheme
  • Capture the IP address from the target device
    Poll until receiving notice of the Activity invocation
  • Exploit the path traversal vulnerability and exfiltrate files from browser’s data directory

Rotlogix says that its better to delete Mercury browser than use it with this vulnerability.

2 COMMENTS

  1. Michael from Dolphin Browser here. Wanted to provide an update on this situation. We found out the root cause of this issue & applied the fix. Since the fix is currently undergoing a staged rollout, it will take at least 24 hours to apply the fix to all Dolphin users. If you would like to test the fix immediately, the APK is here -> https://www.dropbox.com/s/z6k2rmishvnwvwh/DolphinOne_EN__88_Release_Signed.apk?dl=0

    Here is a quick update about this fix/issue:

    1. Dolphin Themes were previously downloaded through HTTP protocol, when it should have been HTTPs protocol.

    2. Dolphin did not previously verify the Theme package, which left room for exploitation. We added additional security checks to make sure Theme packages are safe before users apply them to Dolphin Browser.

    3. Dolphin previously did not perform security checks for our dynamic libraries (e.g. libdolphin.so:). The new security patch will verify and make sure these library files are not modified before they are being loaded.

    We’re committed to making sure our users are secure and are doing our best to address any issues as they come up. If you do have any additional questions or concerns, you can reach out to us via social media or at support@dolphin.com.

    Best,
    Michael
    Dolphin Team

LEAVE A REPLY

Please enter your comment!
Please enter your name here