Popular mobile browser exposing users to man-in-the-middle attacks

UC Browser users may want to think twice before launching the app

UPDATED A popular mobile browser has left millions at risk of having their communications intercepted due to a vulnerability that can be used to launch unverified software, researchers have warned.

UC Browser, a mobile browser developed by Chinese tech conglomerate Alibaba, has been inadvertently used to install software onto the phones of Android users since at least 2016 – despite Google Play store rules aimed at preventing apps from doing so.

The hidden feature present within UC Browser potentially enables malicious code to be secretly downloaded onto Android devices using the service, according to researchers at Dr. Web, an antivirus company based in Russia.

“For example, during our analysis, UC Browser downloaded an executable Linux library from a remote server,” Dr. Web wrote in a blog post published yesterday.

“The library was not malicious; it is designed to work with MS Office documents and PDF files.

“Initially, this library was not in the browser. After downloading, the program saved the library to its directory and launched it for execution.

“Thus, the application is actually able to receive and execute code, bypassing the Google Play servers.”

Unverified modules

Dr. Web noted that while the UC Browser application has not been seen to be distributing trojans or malicious plugins per se, its ability to load unverified modules poses a threat of man-in-the-middle (MitM) attacks.

“To download new plugins, the browser sends a request to the command and control server and receives a link to file in response,” said the researchers.

“Since the program communicates with the server over an unsecured channel (the HTTP protocol instead of the encrypted HTTPS), cybercriminals can hook the requests from the application.”

Bad actors would then be able to replace commands with new ones, possibly redirecting a user to a malicious server, Dr. Web said.

“MitM attacks can help cybercriminals use UC Browser to spread malicious plugins that perform a wide variety of actions,” reads the blog post.

“For example, they can display phishing messages to steal usernames, passwords, bank card details, and other personal data. Additionally, trojan modules will be able to access protected browser files and steal passwords stored in the program directory.”

According to Google Play, UC Browser has been installed on approximately 500 million devices. The Lite version, UC Browser Mini, is also said to be similarly affected by the downloading application.

Google Play rules explicitly state that apps must not update by any way other than though the app store’s mechanism. 

A representative from UC Browser told The Daily Swig: “As per concerns raised by Dr Web, UC has updated the UC Browser app on Google Play.

“UC is an International company and stands by its commitment to create a product that helps millions of users access benefits of mobile internet.”

This article has been updated to include comments from UC Browser.