Skip to content ↓ | Skip to navigation ↓

A number of Android vulnerabilities have made headlines in recent weeks. Back in July, news first broke about “Stagefright,” a bug that allows an attacker to remotely execute code using a specially crafted MMS. At around the same time that Google announced patches for this vulnerability, at least one of which has been shown to be ineffective, researchers uncovered another flaw that attackers could use to render an Android device unresponsive.

In the weeks that followed, a threat analyst at Trend Micro found an additional two other vulnerabilities in the platform’s messaging functions. Successful exploitation of these latest bugs could block Android users from accessing their messages and/or result in multiple charges for SMS and MMS messages.

Android has clearly had its fair share of publicity this summer; recent developments suggest that attention won’t be shifting away anytime soon.

Over the weekend, a security researcher by the name of Rotlogix discovered that two popular browsers for Android are vulnerable to remote attacks.

In a post published on his blog, Rotlogix explains how an attacker can compromise the Dolphin Browser for Android:

“An attacker with the ability to control the network traffic for users of the Dolphin Browser for Android, can modify the functionality of downloading and applying new themes for the browser,” the researcher states. “Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user’s device.”

android dolphin
Android Dolphin

Rotlogix exploited this vulnerability in the browser, which sports nearly 2.3 million downloads on Google Play Store, by proxying the download traffic and injecting a modified script that could be used with mitmdump. Referring to the work of others in exploiting a browser theme’s unzipping process, the researcher was then able to locate a library libdolphin.so living inside the files directory, to which he was able to write his theme payload. This code execution subsequently overwrote the library and ultimately allowed for the successful use of a netcat listener.

“The only user interaction this requires is selecting, downloading, and applying a new Dolphin Browser theme,” explains Rotlogix.

android dolphin rotlogix zip payload
Rotlogix’s zip payload for Android Dolphin (Source: Rotlogix)

But that’s not all he found. While exploring the Mercury Browser for Android, which has approximately 16,500 downloads on Google Play Store, the security researcher discovered that the browser suffers from an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. These two vulnerabilities, Rotlogix explains in a blog post, can be chained together via invoking the WiFi Manager Activity with the Intent URI scheme using a crafted HTML page, capturing the target device’s IP address, and polling until receiving notice of the Activity invocation until finally exploiting the path transversal vulnerability. This chain of events allows a remote attacker to exfiltrate files from the browser’s directory.

android mercury
Android Mercury

As of this writing, both the Dolphin and Mercury browsers are still vulnerable to the attacks described above. Rotlogix therefore recommends that users uninstall the browsers and choose an alternative until both Dolphin and Mercury have been patched.

Title image courtesy of ShutterStock

Hacking Point of Sale
  • Michael from Dolphin Browser here. Wanted to provide an update on this situation. We found out the root cause of this issue & applied the fix. The fix should be available for all users to download today, but in case it hasn't shown up in the Play Store yet, you can also download the APK directly here: https://www.dropbox.com/s/z6k2rmishvnwvwh/Dolphin

    Here is a quick update about this fix/issue:

    1. Dolphin Themes were previously downloaded through HTTP protocol, when it should have been HTTPs protocol.

    2. Dolphin did not previously verify the Theme package, which left room
    for exploitation. We added additional security checks to make sure Theme
    packages are safe before users apply them to Dolphin Browser.

    3. Dolphin previously did not perform security checks for our dynamic libraries (e.g. libdolphin.so:). The new security patch will verify and make sure these library files are not modified before they are being loaded.

    We're committed to making sure our users are secure and are doing our best to address any issues as they come up. If you do have any additional questions or concerns, you can reach out to us via social media or at support@dolphin.com.

    Best,
    Michael
    Dolphin Team

    • joepettit

      Thanks for sharing that information, Michael!