Rotologix, a cyber-security enthusiast, has found out zero-day
flaws, which could allow an attacker to perform remote code execution, in two
popular Dolphin and Mercury Android mobile browsers, which have 100 million
users.
The remote code execution exploit allows an attacker to
replace the browser's theme package with an infected counterpart.
“The Mercury Browser for Android suffers from an insecure
Intent URI scheme implementation and a path traversal vulnerability within a
custom web server used to support its WiFi Transfer feature. Chaining these
vulnerabilities together can allow a remote attacker to perform arbitrary
reading and writing of files within the Mercury Browser's data directory,” the
researcher posted in a blog post.
It is said that the exploit allows the attackers to modify
the downloading and applying new themes functions to the browser. Those who are
affected, need to download, and apply a new Dolphin browser theme all again.
And for Dolphin, Rotologix said, "An attacker with the
ability to control the network traffic for users of the Dolphin browser for
Android, can modify the functionality of downloading and applying new themes
for the browser. Through the exploitation of this functionality, an attacker
can achieve an arbitrary file write, which can then be turned into code
execution within the context of the browser on the user's device.”