Major security vulnerabilities have been found in Dolphin and Mercury Android browsers. Security enthusiast Rotologix has revealed zero-day flaws in the Web browsers, which if exploited, allows attackers to perform remote code execution.

The Dolphin and Mercury browsers are quite popular on Android, racking in over 100 million users. Specifically, the Dolphin remote code execution exploit allows an attacker to replace the browser’s theme package with an infected counterpart.

Going further in, the exploit allows an attacker to modify the network traffic, which allows the person to modify the functionality of downloading and applying new themes to the browser. Once affected, a victim is only required to select, download, and apply a new Dolphin browser theme. The Dolphin browser hasn’t been updated since July, suggesting that all users are likely affected by the zero-day vulnerability.

“An attacker with the ability to control the network traffic for users of the Dolphin browser for Android, can modify the functionality of downloading and applying new themes for the browser,” Rotologix wrote in a blog post. “Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user’s device,” he added.

Moving on, Rotologix says that Mercury browser for Android is affected with an insecure Intent URI scheme implementation and a path traversal vulnerability that provides support to the Wi-Fi Transfer feature. “Chaining these vulnerabilities together can allow a remote attacker to perform arbitrary reading and writing of files within the Mercury Browser’s data directory,” he added.