UC Browser apps have been exposing users to MiTM attacks

UC Browser is found to contain malicious ability to expose its users to remote attackers

The China-made application contains suspicious ability that can be used by remote attackers.

UC Browser seems to be extremely popular among smartphone users, having around 500 million downloads worldwide.^[1] However, recently, one of its functions initiated numerous concerns regarding the Alibaba Group-owned app and has encouraged numerous users to think about uninstalling the UC Browser and UC Browser Mini.

It seems that the feature responsible for updating these applications can also allow hackers to access Android smartphones remotely by downloading and installing modules from unprotected channels and servers.^[2] This way, the mechanism which in fact, violates Google Play Store rules, exposes users to the Man-in-The-Middle (MiTM) attacks attack. Attackers can change any commands and set up different addresses, so the browser downloads malicious modules from a server that isn't its own C&C server.

The issue was detected by the experts from Doctor Web^[3] who claims that the update feature has been available since 2016. There is no information about Trojan or other malware distribution, but the ability to launch modules or execute codes poses a threat on every user. Since this browser is used by hundreds of millions all over the world, all of those Android users may be in danger.

Popular mobile browser exposes users to Man-in-The-Middle attacks

UC Browser is one of the most popular mobile browsers, so there is no surprise that users have already been complaining about suspicious functions and features throughout the Internet.^[4]

Unfortunately, anyone who is using the UC Browser or UC Browser Mini cannot be sure that this extra module installation hasn't affected their device. MiTM attacks can potentially lead devices to unexpected attacks, and there is no information that cybercriminals haven't used this vulnerability yet.

Doctor Web's team explained:

A potentially dangerous updating feature has been present in the UC Browser since at least 2016. Although the application has not been seen distributing trojans or unwanted software, its ability to load and launch new and unverified modules poses a potential threat. It’s impossible to be sure that cybercriminals will never get ahold of the browser developer’s servers or use the update feature to infect hundreds of millions of Android devices.

Researchers have also created an example of such an attack. It shows how potential victim downloads a document and tries to view it. Once the browser tries to open a plug-in from the C&C server, the browser downloads a different library. The text message stating ” PWNED!” shows up.

Violation of privacy rules

According to the researchers, malicious code can be executed on mobile devices, and the application can download other modules helping to bypass Google Play servers. This activity violates Google Play rules and may lead to serious malware attacks since various malicious codes can be enabled on Android devices.^[5]

The vulnerability in the UC Browser also bypasses Google servers. The tech team behind Dr. Web has also reported about all the issues regarding this hidden feature, including this matter:

Thus, the application is actually able to receive and execute code, bypassing the Google Play servers. This violates Google’s rules for software distributed in its app store. The current policy states that applications downloaded from Google Play cannot change their own code or download any software components from third-party sources. These rules were applied to prevent the distribution of modular trojans that download and launch malicious plug-ins.