Security flaws exposed in Dolphin, Mercury mobile browsers

Vulnerabilities exist in the Android mobile browsers which could allow for remote code execution or arbitrary read/write access.

changeup-worm-imagecredsymantec.jpg
Symantec

A security researcher has discovered security problems in the Dolphin and Mercury mobile browsers.

Benjamin Watson, blogging under the name Rotlogix, revealed the existence of vulnerabilities within the Android-based mobile browsers. Last week, the security researcher said the flaws could lead to remote code execution or arbitrary read/write access.

Mobotap's Dolphin Browser for Android is a highly customisable browser for smartphones and mobile devices, including search bar tailoring and themes. Following Chrome and Firefox, the browser app is one of the most popular mobile browsers for the Android OS and boasts between 50 million and 100 million installations.

However, it is this customisation and the download and installation of a theme which may place users at risk.

According to Watson, when new themes are downloaded, the files are transferred over HTTP as a standard .zip file under the extension .dwp. Through the use of a simple script, the downloaded theme can be intercepted and injected with a modified, malicious theme, which in turn allows for an arbitrary write in the Dolphin data directory.

The .zip payload can then be crafted to exploit the unzipping process of the browser theme. The researcher found that a malicious library could be uploaded to overwrite the original browser library, libdolphin.so, paving the way for full remote code execution.

When the malicious theme is applied, "full blown code execution" is possible, according to the researcher.

The Mercury browser also captured the security researcher's attention, and was discovered to be vulnerable to arbitrary reading and writing of files in the browser's data directory. iLegendSoft's browser has been downloaded between 500,000 and 1,000,000 times.

Watson said the Wi-Fi transfer feature is fault, due to "an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server" used to support the facility. The Wi-Fi transfer feature is used to share files online, but linking the aforementioned vulnerabilities together results in an attacker being granted arbitrary read/write access.

Watson recommends that in both cases users avoid downloading and applying new themes, and they should also consider using a different browser altogether until patches have been issued.

Read on: Top picks

In pictures: