Major vulnerabilities have been detected in Dolphin and Mercury Android browsers that could have provided cybercriminals with the opportunity to launch zero-day attacks.
This is considered to be a notable discovery. With both browsers growing in popularity – it is estimated that over 100 million downloads have been made between the two browsers – the fallout of a potential attack could be huge.
The flaws were uncovered by Benjamin Watson, a mobile security researcher who blogs under the pseudonym of rotlogix.
With regards to Dolphin, the expert wrote that the vulnerability makes it possible for attackers to perform remote code execution.
“An attacker with the ability to control the network traffic for users of the Dolphin browser for Android, can modify the functionality of downloading and applying new themes for the browser,” he explained.
“Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user’s device.”
As for Mercury, Mr Watson said that the defect evident in this browser could allow a cybercriminal to remotely perform arbitrary reading and writing of files within its data directory.
This is made possible through a weakness in the implementation of the Intent URI scheme – because of this, an attacker can “invoke private activities through a crafted HTML page”.
Also observed in Mercury was a path traversal vulnerability. This was found within a custom web server used to support the browser’s Wi-Fi transfer feature. The anomaly meant that he could read data within its data directory.
“This was a great find in the sense that it meant I could essentially download and exfiltrate files being stored by the browser’s data directory,” Mr Watson discussed.
“It did not take me long as well to validate that I could write and overwrite files within the browser’s directory using the upload functionality and path traversal vulnerability.”
The security professional has recommended that users of Dolphin and Mercury immediately cease using the browser while patches are made. Both have been made aware of the vulnerabilities.