Android Firefox exploit automatically downloads, opens files on your phone

Advertisement

It’s far from the most popular browser out there, but tens of millions of users have still downloaded Mozilla’s Firefox for Android. All those people might want to be thinking twice about the sites they visit tonight, upon news arriving of a remote exploit for the browser going up for sale on the black market.

When Firefox for Android attempts to connect to a compromised server, this exploit can make the browser download and open a file without any interaction from the user.

If sideloading is enabled, those files can include APKs, in which case it can just be a simple matter of tricking the user to tap install by disguising the malicious app as something more innocuous – a Firefox update, in the demonstration video below. That may be the most obvious way to wreak havoc using this exploit, but it needn’t be the only; any file type associated with an app can be opened in this manner without user interaction. Combined with a known exploitable condition in another app, this method could be used to deliver that payload.

For the moment, there’s no word of any obvious work-around, though disabling the installation of apps from non-Play sources would be a smart place to start. If you’re worried, just stop using Firefox altogether. Hopefully, Mozilla will be delivering a fix soon.

Source: Inj3ct0r
Via: Android Police

Advertisement

What's your reaction?
Love It
0%
Like It
0%
Want It
0%
Had It
0%
Hated It
0%
About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bitsRead more about Stephen Schenck!