How a Wormhole‑Style Vulnerability in 360 Browser Enables Remote Code Execution on Android

360 Browser is a widely used PC and mobile browser in China, with over 460 million downloads across 360, Tencent, and Wandoujia markets. It is known for emphasizing user device security.

Twenty‑four hours ago the WuYun vulnerability platform reported a new bug in 360 Browser. Subsequent detailed analysis of the 360 Secure Browser (package com.qihoo.expressbrowser) uncovered a severe “wormhole” vulnerability.

The flaw resembles the Wormhole/DimensionDoor exploits: a specially crafted HTTP service can be triggered to open a back‑door. Even after applying an app‑level patch, the HTTP service remains active; the only way to stop it is to manually pause the service in system settings or reboot the device.

To remediate the issue, Qihoo released a test build 6.9.9.71 on November 23. Versions released before that date, such as 6.9.9.70, are vulnerable. Users who have not updated past November 23 should upgrade to 6.9.9.71 or later and restart their phones.

The vulnerability enables remote code execution on any Android phone with 360 Browser installed. On rooted devices, an attacker can fully control the phone—install arbitrary APKs, read emails and SMS, and manipulate the camera and microphone. On non‑rooted devices, the attacker can share the browser’s permissions to send/receive SMS, read call logs, access browsing history, and control the camera and microphone.

As of November 23, most users had not yet upgraded to the latest version. This blog post was published to alert users promptly; a detailed analysis report and the exploit code will be released in a follow‑up post.

A proof‑of‑concept video demonstrates the vulnerability on a rooted phone, where a remote trigger replaces a legitimate banking app with an arbitrary application.