It’s far from the most popular browser out there, but tens of millions of users have still downloaded Mozilla’s Firefox for Android. All those people might want to be thinking twice about the sites they visit tonight, upon news arriving of a remote exploit for the browser going up for sale on the black market.
When Firefox for Android attempts to connect to a compromised server, this exploit can make the browser download and open a file without any interaction from the user.
If sideloading is enabled, those files can include APKs, in which case it can just be a simple matter of tricking the user to tap install by disguising the malicious app as something more innocuous – a Firefox update, in the demonstration video below. That may be the most obvious way to wreak havoc using this exploit, but it needn’t be the only; any file type associated with an app can be opened in this manner without user interaction. Combined with a known exploitable condition in another app, this method could be used to deliver that payload.
For the moment, there’s no word of any obvious work-around, though disabling the installation of apps from non-Play sources would be a smart place to start. If you’re worried, just stop using Firefox altogether. Hopefully, Mozilla will be delivering a fix soon.
Via: Android Police