The Dolphin browser is one of the more popular browsers that can have a tailored search bar and themes. Between 50-100 million users have installed it. But, it is plagued by a vulnerability that can be exploited by a man-in-the-middle (MitM) attacker for arbitrary file writing and even remote code execution.
A hacker can create a theme file (skin) for the browser that can modify an existing Dolphin library loaded at start up (libdolphin.so) and execute arbitrary code. A user only has select, download, and apply a new Dolphin Browser theme.
[27 August - Dolphin have responded - see comment below]
We are aware of the issues and have already fixed them. The new update has already been rolled out, and should reach 100% of users later today. Users can also download the apk directly: https://www.dropbox.com/s/z6k2rmishvnwvwh/DolphinOne_EN__88_Release_Signed.apk?dl=0
The Mercury Browser exposes users to attacks due to unpatched vulnerabilities. A remote attacker can read and write arbitrary files within the application’s data directory. It is not known if the iOS version has similar issues.
It has an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its Wi-Fi Transfer feature. A remote attacker can exploit the vulnerabilities by getting the victim to open a specially crafted HTML page.
ESET malware researcher Sieng Chye Oh said, “Google’s own policing of its Play Store has hugely improved but it is vital to download a mobile security app to keep malware off your device. Set the app to scan your phone regularly and automatically. There are many great apps available and free ones if you don’t have the budget. Other good approaches are to inspect every app’s permissions before downloading, ensuring you are running the latest update of Android available for your device, not using any old devices wherever possible, and above all not assuming you’re safer on Android.”
ESET also have a video on how to spot a dangerous app on Android.
In the immortal words of William Shakespeare, “I come to bury Caesar, not to praise him”. I do not want to bury Android but nor can I praise it. My take – use it as a consumer operating system only and take lots of precautions as 98% of the hackers attention is focused on this operating system.
And to quote another “Where there is smoke there is fire” there are over 2.8 million search references to the two words ‘Android vulnerabilities’ and many thousands of those are in the past month.
CVE lists 13 new Android vulnerabilities discovered to June this year – and another 41 since its release. Interestingly Google’s other software has 1297 vulnerabilities and discovery is generally on the decline.
By comparison it lists a staggering 605 for iOS – but you seldom get to hear about them because “Apple does not comment,” and instead issues over the air security patches – something that Android cannot do at present.
Windows Phone had one minor vulnerability in 2012. Yes it is safe.
Exploration of the CVE site (which is not easy or intuitive) shows a massive upswing in the discovery of vulnerabilities in Android, iOS, OS X and a downturn in Windows – one could assume they have just about found all they can in that OS that has its roots back to NT4.0 in the mid-90s.
It may be that 90% of the headline stories about Android security are due to a number of recent security events – Black Hat, RSA, Gartner et al. Whatever the cause if you use an Android device you need added protection – ESET or many of the other Anti-virus/malware products are a good start.
I can’t help feel that Android – despite five main versions and a number of revisions – remains an immature product that was rushed to market in September 2008 to counter the success of the iPhone and perhaps spoil Windows Phone’s chances of gaining more market share. You can read Android’s brief history here.
Perhaps Lollipop was better than KitKat and Marshmallow will not have a soft center but be warned – every Android device ever made is vulnerable and that can only be fixed when Google fixes it. How long you ask – I suspect many long years before it is secure.