UC Browser is one of the most popular mobile browsers, specifically in China and India, with a massive user base of more than 500 million users worldwide.
According to a new report published today by Dr. Web firm, since 2016, UC Browser for Android has a “hidden” feature that allows the company to anytime download new libraries and modules from its servers and install them on users’ mobile devices.
UC Browser Plug-ins Using MiTM Attack
Turns out that the feature has been designed to communicate with the company’s server over insecure HTTP protocol instead of encrypted HTTPS protocol, thus allowing remote attackers to perform man-in-the-middle (MiTM) attacks and push malicious modules to targeted devices.
“Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification,” the researchers say.
Dr. Web researchers demonstrated how they were able to replace a plugin to view PDF documents with a malicious code using an MiTM attack, forcing the UC Browser into compiling a new text message, instead of opening the file.
Google Play Store Policies Being Violated
The ability allows UCWeb to download and execute arbitrary code on users’ devices without reinstalling a full new version, it also violates the Play Store policy by bypassing Google servers.
“This violates Google’s rules for software distributed in its app store. The current policy states that applications downloaded from Google Play cannot change their own code or download any software components from third-party sources,” the researchers say.
“These rules were applied to prevent the distribution of modular trojans that download and launch malicious plug-ins.”
This dangerous feature has been found in both UC Browser as well as UC Browser Mini released to this date.
Dr. Web responsibly reported their findings to the developer of both UC Browser and UC Browser Mini, but they refused even to provide a comment on the matter. It then reported the issue to Google.
UC Browser and UC Browser Mini are “still available and can download new components, bypassing Google Play servers,” researchers say.