Vulnerabilities Identified in Dolphin, Mercury Android Browsers

Vulnerabilities exist in two fairly popular alternative browsers for Android – Dolphin and Mercury — that depending on the browser could result in either remote code execution or arbitrary read/write access.

Vulnerabilities exist in two fairly popular alternative browsers for Android – Dolphin and Mercury — that depending on the browser could result in either remote code execution or arbitrary read/write access.

Mobile security researcher Benjamin Watson, who blogs under the guise of Rotlogix discovered the browser vulnerabilities and published descriptions, along with proof-of-concept code on both over the weekend.

Assuming the attacker and user are on the same shared network environment, an attacker can exploit the Dolphin vulnerability when the user downloads and applies a new theme for the browser.

Through some reverse engineering, Rotlogix discovered that Dolphin has the functionality to unzip and apply a theme’s file. But by proxying the download traffic, Rotlogix found he could inject a modified theme and in turn, achieve an arbitrary write into the browser’s data directory. Once in, he also found he could create a crafted library that could overwrite the one already on the browser and result in what he calls “full blown code execution.”

Rotlogix penned a blog entry on the vulnerability last Friday and claimed Dolphin developers were aware of the issue. When asked Monday when a fix for the vulnerability would arrive, a spokesperson with the company claimed it was working on a fix for the issue.

Dolphin, run by San Francisco-based Mobotap, Inc., boasts between 50,000,000 – 100,000,000 installs and after Chrome and Firefox is one of the more popular alternative browsers for Android. An update for the browser actually came Monday, but it’s unclear whether the latest version includes a fix for the remote code execution issue at hand.

The issue with Mercury, an Android browser produced by iLegendSoft, Inc., stems from a combination of what Rotlogix describes as an insecure Intent URI scheme implementation and a path traversal vulnerability. Mercury’s bugs are mostly rooted in its WiFi Transfer feature. Via a malicious HTML page an attacker could “invoke private Activities,” according to Rotlogix.

It took a little digging around but through the path traversal vulnerability Rotlogix found he could exploit the feature to not only read data from Mercury’s data directory, but also download, upload and replace certain files in the browser’s directory.

iLegendSoft did not immediately respond to Threatpost’s request for comment but in the meantime, Rotlogix is urging users to remove the browser and use another until the issue is addressed.

This article was updated on Aug. 24 to include Dolphin’s response.

Suggested articles

Discussion

  • Michael_Dolphin on

    Michael from Dolphin Browser here. Wanted to provide an update on this situation. We found out the root cause of this issue & applied the fix. Since the fix is currently undergoing a staged rollout, it will take at least 24 hours to apply the fix to all Dolphin users. If you would like to test the fix immediately, the APK is here -> https://www.dropbox.com/s/z6k2rmishvnwvwh/DolphinOne_EN__88_Release_Signed.apk?dl=0 If you do have any additional questions or concerns, you can reach out to us via social media or at support@dolphin.com. Best, Michael Dolphin Team
  • Quan Yuan on

    Wanted to provide an update on this situation. We found out the root cause of this issue & applied the fix. Since the fix is currently undergoing a staged rollout, it will take at least 24 hours to apply the fix to all Dolphin users. If you would like to test the fix immediately, the APK is here -> https://www.dropbox.com/s/z6k2rmishvnwvwh/DolphinOne_EN__88_Release_Signed.apk?dl=0 Here is a quick update about this fix/issue: 1. Dolphin Themes were previously downloaded through HTTP protocol, when it should have been HTTPs protocol. 2. Dolphin did not previously verify the Theme package, which left room for exploitation. We added additional security checks to make sure Theme packages are safe before users apply them to Dolphin Browser. 3. Dolphin previously did not perform security checks for our dynamic libraries (e.g. libdolphin.so:). The new security patch will verify and make sure these library files are not modified before they are being loaded. We're committed to making sure our users are secure and are doing our best to address any issues as they come up. If you do have any additional questions or concerns, you can reach out to us via social media or at support@dolphin.com.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.