Rotologix, a cyber-security enthusiast, has found out zero-day flaws, which could allow an attacker to perform remote code execution, in two popular Dolphin and Mercury Android mobile browsers, which have 100 million users.
The remote code execution exploit allows an attacker to replace the browser’s theme package with an infected counterpart.
“The Mercury Browser for Android suffers from an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. Chaining these vulnerabilities together can allow a remote attacker to perform arbitrary reading and writing of files within the Mercury Browser’s data directory,” the researcher posted in a blog post.
It is said that the exploit allows the attackers to modify the downloading and applying new themes functions to the browser. Those who are affected, need to download, and apply a new Dolphin browser theme all again.
And for Dolphin, Rotologix said, “An attacker with the ability to control the network traffic for users of the Dolphin browser for Android, can modify the functionality of downloading and applying new themes for the browser. Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user’s device.”