‘Secret function’ in UC browser allows hackers to compromise Android devices
Doctor Web, a leading Russian anti-malware company, published in a report that the mobile device browser – ‘UC Browser’ – could be exploited by remote attackers to automatically download and launch new software components, bypassing Google Play servers.
For those unaware, UC Browser, which is developed by China-based Alibaba-owned UCWeb is one of the most widely used mobile device browsers in India and China and has more than 500 million users worldwide.
According to the report from Doctor Web firm, while UC Browser itself is not embedded with malicious software, it does feature a ‘secret function’ since at least 2016 that allows developers to download new libraries and modules from its servers and install them on users’ mobile devices at any time and without any authentication.
UC Browser downloads the plug-in via the insecure HTTP protocol, and not the encrypted HTTPS protocol, which allows remote attackers to perform Man-in-the-Middle (MiTM) attacks and load malicious modules into targeted devices.
“Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification,” the researchers say.
“Thus, to perform a MITM attack, cybercriminals will only need to hook the server response from http://puds.ucweb.com/upgrade/index.xhtml?dataver=pb, replace the link to the downloadable plug-in and the values of attributes to be verified, i.e., MD5 of the archive, its size, and the plug-in size. As a result, the browser will access a malicious server to download and launch a Trojan module.”
The researchers demonstrated a PoC video that shows a potential victim downloading a PDF document via UC Browser and trying to view it. To open the file, the browser tries to download the corresponding plug-in from the command and control server. However, due to the MITM substitution, the browser downloads and launches a different library. This library then creates a text message that says, “PWNED!”.
“Thus, MITM attacks can help cybercriminals use UC Browser to spread malicious plug-ins that perform a wide variety of actions,” researchers explain.
“For example, they can display phishing messages to steal usernames, passwords, bank card details, and other personal data. Additionally, trojan modules will be able to access protected browser files and steal passwords stored in the program directory.”
This feature allows browser developers to download and execute arbitrary code on users’ devices without having to install a full new version of UC browser app. It also fails to comply with the Play Store policy, as it tries to bypass the Google servers.
“This violates Google’s rules for software distributed in its app store. The current policy states that applications downloaded from Google Play cannot change their own code or download any software components from third-party sources,” the researchers say.
“These rules were applied to prevent the distribution of modular trojans that download and launch malicious plugins.”
The researchers found this malicious feature has affected UC Browser as well as UC Browser Mini and all versions of UC Browser released to this date. Doctor Web specialists contacted the developer of both browsers, but they refused to comment on the matter. As a result, the malware analysts reported the issue to Google.
At the time of writing, the compromised applications, UC Browser, and UC Browser Mini are “still available and can download new components, bypassing Google Play servers,” researchers say.
Doctor Web analysts have suggested owners of Android devices to think whether they should continue using these programs or remove them and wait until they are updated to fix potential vulnerabilities.