Once again, the UC browser has made it into the news. This time, researchers found them to be exposing millions of users to the risk of cyber attack. Specifically, they found the UC browser enabling downloads of APK’s from non-SSL third-party sites, thus potentially exposing users to MiTM attacks at the very least.
UC Browser Risked Users To MiTM Attacks
Researchers from ZScaler noticed the UC browser exposing users to the risk of cyber attack. They discovered that the UC Browser and UC Browser Mini apps for Android used to download an APK from a third-party server.
Detailing their findings in a blog post, the researchers explained that they found the apps generating requests to the site 9appsdownloading[.]com. Upon further investigation, they observed that the apps made these requests to download an additional APK, that too, over an unsecured connection.
Although, during their analysis, they didn’t see any traces of the APK installation on the device following the download. Yet, this behavior certainly exposed users to the risk of a man-in-the-middle (MiTM) attack.
The APK was downloaded over an unsecured channel (HTTP over HTTPS), opening the possibility for man-in-the-middle (MiTM) attacks.
This was a serious risk considering the fact that UC Browser has over 500 million downloads. Whereas, UC Mini has 100M+ downloads. It means that the apps had put the security of millions of users at risk.
The researchers manually installed the suspicious APK only to have another Play Store on their device, entitled ‘9 Apps’. This app store not only scanned the device for installed apps but also included numerous adult apps too. As a test, they installed one of the apps from the app store. Consequently, they found the app’s download linking back to the domain 9appsdownloading[.]com.
Violation Of Google Policies
Other than being a security risk, both the apps also violated the policies of Google Play Store. As per their policy, no app can download an APK from third party sources.
An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play’s update mechanism. Likewise, an app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine and has limited access to Android APIs (such as JavaScript in a webview or browser).
Upon noticing the malicious behavior, researchers reported the matter to Google. Following their report, Google contacted the developers to remedy the violation.
Now, it seems that the developers have updated their apps. The recent versions of both apps do not exhibit such malicious activity.
Earlier this year, Dr.Web reported a flaw in the UC browser that also made it vulnerable to MiTM attacks.
Let us know your thoughts in the comments.