The China made UC browser is found to have a feature which could be exploited by remote attackers to automatically download and execute code on your Android devices.
UC Browser was developed by Alibaba-owned UCWeb and is one of the most popular mobile browsers, specifically in China and India. Around 500 million users use it worldwide.
According to a new report published by Dr. Web firm, the UC Browser for Android is said to have a “hidden” feature that permits the company to download new libraries and modules from its servers at any time and install them on users’ mobile devices.
Pushing Malicious UC Browser Plug-ins Using MiTM Attack
The mentioned feature can download new plugins from the company server over insecure HTTP protocol rather than using the encrypted HTTPS protocol. This lets the remote attackers to perform man-in-the-middle (MiTM) attacks and push malicious modules to targeted devices.
According to the researchers, as UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification.
In order to perform an MITM attack, the attackers had to connect the server response from https://puds.ucweb.com/upgrade/index.xhtml?dataver=pb, replace the link to the downloadable plug-in and the values of attributes to be verified. So, the browser will access a malicious server to download and launch a Trojan module.
The researchers provided a video demonstration on how they were able to replace a plugin to view PDF documents with a malicious code using an MiTM attack, thereby forcing the UC Browser into compiling a new text message, instead of opening the file.
In this way the MITM attacks can help the hackers to use UC Browser to spread malicious plug-ins that perform a wide variety of actions. It can display phishing messages to steal usernames, passwords and sensitive data. Besides, trojan modules can also access protected browser files and steal passwords stored in the program directory.
UC Browser Violates Google Play Store Policies
Since it is possible for UCWeb to download and execute arbitrary code on users’ devices without reinstalling a full new version of UC Browser app, it violates the Play Store policy by bypassing Google servers.
According to the current policy, any application downloaded from Google Play cannot change their own code or download any software components from third-party sources.
This hazardous feature was found in both UC Browser and UC Browser Mini, and in all the versions including the latest one.
Dr. Web submitted their findings to the developer of both UC Browser and UC Browser Mini, for which they have refused to make any comments. After that the issue was reported to Google.
UC Browser and UC Browser Mini are still available and can download new components, bypassing Google Play servers.
So it is highly recommended that the users must get rid of it until the company issues patches for the same.