The browser has more than 500 million downloads in the Store

Mar 27, 2019 10:34 GMT  ·  By

UC Browser, which is one of the most popular mobile browsers right now with more than 500 million downloads in the Google Play Store, reportedly violates the Store guidelines with a built-in mechanism that powers the download of additional modules from third-party sources.

Specifically, the browser turns to this feature in order to download and install other components from the parent company’s server, and while no malicious attempts have been detected so far, the system can be abused by hackers to hijack Android devices.

Security vendor Dr. Web conducted an analysis of this feature and discovered that UC Browser connects to a remote server, downloads new modules, and then runs them on the Android host.

“Thus, the application is actually able to receive and execute code, bypassing the Google Play servers,” the company warns.

A violation of Google Play store rules

Google specifically forbids app developers from using any other update mechanism than the Google Play Store, and in the “Privacy, Security, and Deception” section of its guidelines, it explains the following:

“An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play.”

UC Browser does both things, as it uses its own update system and, at the same time, downloads code that is then launched on the target device.

The security vendor says the updating feature has been there since at least 2016, but there’s no evidence that it was abused to distribute malicious content. However, there’s a high risk of man-in-the-middle attacks (MITM), and a video demonstration (embedded below) shows how such an attack would work.

“To download new plug-ins, the browser sends a request to the command and control server and receives a link to file in response,” Dr. Web explains.

“Since the program communicates with the server over an unsecured channel (the HTTP protocol instead of the encrypted HTTPS), cybercriminals can hook the requests from the application. They can replace the commands with ones containing different addresses. This makes the browser download new modules from malicious server instead of its own command and control server. Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification.”

UC Browser Mini, which has more than 100 million downloads in the Google Play Store, has a similar auto-update mechanism, but a MITM attack isn’t possible in this case, the company says.