UC Browser violates Google Play Store policies and raises security concerns by downloading extra modules

• UC Browser and UC Browser Mini Android apps violate Google Play Store policies by downloading and installing extra app modules thereby exposing its users to MitM attacks.
• This updating feature is present in the UC browser application since 2016.

What is the issue - UC Browser and UC Browser Mini Android apps violate Google Play Store policies by downloading and installing extra app modules thereby exposing its users to Man in the Middle (MitM) attacks.

Why it matters - It is to be noted that UC browser has been downloaded by over 500 million users.

The big picture

Doctor Web malware analysts uncovered a feature in UC browser that downloads extra app modules and runs executable codes on users’ devices. The researchers noted UC browser has the ability to download auxiliary software modules, bypassing Google Play servers.

• Researchers described that in their analysis, UC Browser downloaded an executable Linux library from a remote server.
• Upon downloading, the UC browser saved the Linux library to its directory and launched it for execution.

Worth noting

• This updating feature is present in the UC browser application since 2016.
• This feature can be exploited by attackers to perform Man in the Middle (MitM) attacks.
• MitM attacks help attackers to leverage UC Browser and distribute malicious plug-ins.

“Although the application has not been seen distributing trojans or unwanted software, its ability to load and launch new and unverified modules poses a potential threat. It’s impossible to be sure that cybercriminals will never get ahold of the browser developer’s servers or use the update feature to infect hundreds of millions of Android devices,” researchers said.

How would an attack work?

• UC Browser sends a request to the C&C server to download new plug-ins.
• In response to the request, the UC browser receives a link to file.
• Attackers can get hold of the requests from the UC browser since its communication to the C&C server is carried over an unsecured channel.
• Attackers can then replace the commands with ones containing different addresses.
• This makes the UC browser download new modules from the malicious server instead of its C&C server.

Doctor Web researchers also created a demo video showing how when a potential victim just wants to view a PDF document using UC Browser but the browser downloads a plug-in module from the C&C server.

What's the conclusion - Upon detecting the potential dangerous feature in UC Browser and UC Browser Mini, Doctor Web analysts notified the developer of both browsers about the feature. Later, Doctor Web notified the issue to Google. However, both browsers are still capable of downloading new modules.