Beware! If you are using UC Browser on your smartphones, you should consider uninstalling it immediately.
Why? Because the China-made UC Browser contains a “questionable” ability that could be exploited by remote attackers to automatically download and execute code on your Android devices.
Developed by Alibaba-owned UCWeb, UC Browser is one of the most popular mobile browsers, specifically in China and India, with a massive user base of more than 500 million users worldwide.
According to a new report published today by Dr. Web firm, since at least 2016, UC Browser for Android has a “hidden” feature that allows the company to anytime download new libraries and modules from its servers and install them on users’ mobile devices.
Pushing Malicious UC Browser Plug-ins Using MiTM Attack
What’s worrisome? It turns out that the reported feature downloads new plugins from the company server over insecure HTTP protocol instead of encrypted HTTPS protocol, thus allowing remote attackers to perform man-in-the-middle (MiTM) attacks and push malicious modules to targeted devices.
“Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification,” the researchers say.
“Thus, to perform an MITM attack, cybercriminals will only need to hook the server response from http://puds.ucweb.com/upgrade/index.xhtml?dataver=pb, replace the link to the downloadable plug-in and the values of attributes to be verified, i.e., MD5 of the archive, its size, and the plug-in size. As a result, the browser will access a malicious server to download and launch a Trojan module.”
In a PoC video shared by Dr. Web, researchers demonstrated how they were able to replace a plugin to view PDF documents with a malicious code using an MiTM attack, forcing the UC Browser into compiling a new text message, instead of opening the file.
“Thus, MITM attacks can help cybercriminals use UC Browser to spread malicious plug-ins that perform a wide variety of actions,” researchers explain.
“For example, they can display phishing messages to steal usernames, passwords, bank card details, and other personal data. Additionally, trojan modules will be able to access protected browser files and steal passwords stored in the program directory.”
UC Browser Violates Google Play Store Policies
Since the ability allows UCWeb to download and execute arbitrary code on users’ devices without reinstalling a full new version of UC Browser app, it also violates the Play Store policy by bypassing Google servers.
“This violates Google’s rules for software distributed in its app store. The current policy states that applications downloaded from Google Play cannot change their own code or download any software components from third-party sources,” the researchers say.
“These rules were applied to prevent the distribution of modular trojans that download and launch malicious plugins.”
This dangerous feature has been found in both UC Browser as well as UC Browser Mini, with all version affected including the latest version of the browsers released to this date.
Dr. Web responsibly reported their findings to the developer of both UC Browser and UC Browser Mini, but they refused even to provide a comment on the matter. It then reported the issue to Google.
At the time of writing, UC Browser and UC Browser Mini are “still available and can download new components, bypassing Google Play servers,” researchers say.
Such a feature can be abused in supply chain attack scenarios where company’s server get compromised, allowing attackers to push malicious updates to a large number of users at once—just like we recently saw in ASUS supply chain attack that compromised over 1 million computers.
So, users are left with just one choice to make… get rid of it until the company patches the issue.