A very serious security hole has been discovered in Firefox for Android that allows a website to force the browser to download and run potentially damaging files, usually without the user's knowledge or interaction. The vulnerability was first described and demonstrated publicly on September 9th as part of a posting meant to advertise the attack as being for sale. The method for exploiting the weakness simply requires a webserver to instruct Firefox for Android to initiate a download, after which the downloaded file is automatically opened or executed (depending on the file type).

Here's a demonstration using an apk crafted to look like an update to Firefox:

While the demo video above uses an apk and relies on a user being tricked into installing it, the potential vectors of attack aren't restricted simply to apks and can possibly leverage other weaknesses on a device. Mozilla's browser, like many others, allows a server to begin sending a file without first prompting the user. Unlike other browsers, Firefox for Android also automatically attempts to open the file based on the file associations registered in the system, similar to the way desktop systems open a file when it is double-clicked. The real danger here is that the user is never prompted before the file is opened.

To fall victim to this attack, a person would merely have to be using Firefox for Android to visit a malicious site, or one that has been compromised. Given the popularity of hacking heavily trafficked sites, like MIUI.us just 2 weeks ago, this would be an easy method for infecting quite a few devices, especially if done very subtly.

Unfortunately, there is no clear way to disable this behavior in Firefox for Android. Due to the simplicity of exploiting the weakness and its potential for serious damage, we strongly recommend using an alternate browser until Mozilla changes this behavior to be more secure and less attractive to attackers.

Source: Inj3ct0r

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • tygr

    Well that's not good

  • guest

    I experienced it too. I went on some website (on firefox beta) and it redirected me to website which forced browser to download and launch apk. But still I had to press "install" button, so for now it isn't so dangerous I guess.
    Nevertheless it is not a good news.

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      The APK install process prompts the user to press Install. There are other things that don't prompt the user.

  • Brad

    Man, that's the best browser that uses flash on JB... Crap.

    • kbrosnan

      This only works if you have 'Unknown Sources' - 'Allow installation of apps from unknown sources' in the Android security settings enabled.

      • Brad

        which i do - for amazon app store

    • yahyoh

      sorry but FF crap specially on heavy site AOSP browser still the king ( chrome recently become better but no flash tho )

      • Brad

        I like ff's tab layouts. I don't really care for the way aosp browser looks... Trivial, I know.

        • http://papped.webatu.com papped

          Not to mention extension support for things like adblock wo root.

          • Brad

            And Phony

  • http://my.opera.com/rafaelluik Rafael Luik

    Well the average Joe user would open the downloaded file anyways...
    KEEP UNKNOWN SOURCES DISABLED, done. I haven't seen any Android malware that didn't require the option to be enabled and the user to press install himself/herself.

    • http://papped.webatu.com papped

      Yeah a lot of people will have it turned on due to titanium backup, amazon app store install, etc...

      • http://my.opera.com/rafaelluik Rafael Luik

        Yes unfortunately there's no education as for why the option is under the Security section... Well, maybe Google could detect the malicious APKs with Play Services' "Verify and install" but it'd become a cat and mouse situation. :/

      • jibust

        You don't need to have Unknown Sources enabled to be able to restore from Titanium Backup.

        • http://papped.webatu.com papped

          TB tells you to enable it... If you need it or not, people will enable it regardless.

          • Zebelious

            You are referring to the USB Debugging and not Unknown Sources option. I also confirm TB does not require the Unknown Sources option to be on. USB Debugging option warning can be disabled in Preference menu as well. This option was, mainly, necessary for pre-GB version and I never encountered a problem by leaving it turned off.

  • alamarco


    I only just switched to using Firefox a month ago. Looks like it's back to Chrome. I don't have unknown sources enabled, as I only enable it when I need it and disable it right away, but I still don't trust the browser until this is fixed.

  • kamiller42

    Mozilla takes security pretty seriously. I think they'll have an update very soon.

  • Marc

    Well this is no good. I was already suspicious when I randomly saw a downloading icon...followed by an "installation failed" notification. Would only happen on Firefox android...never happened on Firefox Aurora android.

  • เกรียนเทพ ดี อันลิมิเตด

    Firefox is the least browser I trust all of the three. (Chrome > Opera > Firefox)

  • Phoenix

    Looks like this has been patched on Aurora within the past few days.