Security Market Segment LS
Wednesday, 26 August 2015 15:58

Dolphin and Mercury Android browsers present serious risks – remove them now


Security firm ESET has issued a warning for the Dolphin browser, and Mercury browser for Android – both popular apps found in Google’s Play Store.

The Dolphin browser is one of the more popular browsers that can have a tailored search bar and themes. Between 50-100 million users have installed it. But, it is plagued by a vulnerability that can be exploited by a man-in-the-middle (MitM) attacker for arbitrary file writing and even remote code execution.

A hacker can create a theme file (skin) for the browser that can modify an existing Dolphin library loaded at start up ( and execute arbitrary code. A user only has select, download, and apply a new Dolphin Browser theme.

[27 August - Dolphin have responded - see comment below]

We are aware of the issues and have already fixed them. The new update has already been rolled out, and should reach 100% of users later today. Users can also download the apk directly:

The Mercury Browser exposes users to attacks due to unpatched vulnerabilities. A remote attacker can read and write arbitrary files within the application’s data directory. It is not known if the iOS version has similar issues.

It has an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its Wi-Fi Transfer feature. A remote attacker can exploit the vulnerabilities by getting the victim to open a specially crafted HTML page.

ESET malware researcher Sieng Chye Oh said, “Google’s own policing of its Play Store has hugely improved but it is vital to download a mobile security app to keep malware off your device. Set the app to scan your phone regularly and automatically. There are many great apps available and free ones if you don’t have the budget. Other good approaches are to inspect every app’s permissions before downloading, ensuring you are running the latest update of Android available for your device, not using any old devices wherever possible, and above all not assuming you’re safer on Android.”

ESET also have a video on how to spot a dangerous app on Android.


In the immortal words of William Shakespeare, “I come to bury Caesar, not to praise him”. I do not want to bury Android but nor can I praise it. My take – use it as a consumer operating system only and take lots of precautions as 98% of the hackers attention is focused on this operating system.

And to quote another “Where there is smoke there is fire” there are over 2.8 million search references to the two words ‘Android vulnerabilities’ and many thousands of those are in the past month.

CVE lists 13 new Android vulnerabilities discovered to June this year – and another 41 since its release. Interestingly Google’s other software has 1297 vulnerabilities and discovery is generally on the decline.

By comparison it lists a staggering 605 for iOS – but you seldom get to hear about them because “Apple does not comment,” and instead issues over the air security patches – something that Android cannot do at present.

 Windows Phone had one minor vulnerability in 2012. Yes it is safe.

Exploration of the CVE site (which is not easy or intuitive) shows a massive upswing in the discovery of vulnerabilities in Android, iOS, OS X and a downturn in Windows – one could assume they have just about found all they can in that OS that has its roots back to NT4.0 in the mid-90s.

It may be that 90% of the headline stories about Android security are due to a number of recent security events – Black Hat, RSA, Gartner et al. Whatever the cause if you use an Android device you need added protection – ESET or many of the other Anti-virus/malware products are a good start.

I can’t help feel that Android – despite five main versions and a number of revisions – remains an immature product that was rushed to market in September 2008 to counter the success of the iPhone and perhaps spoil Windows Phone’s chances of gaining more market share. You can read Android’s brief history here.

Perhaps Lollipop was better than KitKat and Marshmallow will not have a soft center but be warned – every Android device ever made is vulnerable and that can only be fixed when Google fixes it. How long you ask – I suspect many long years before it is secure.



26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Ray Shaw

joomla stats

Ray Shaw  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!



Recent Comments