Pierluigi Paganini October 19, 2019

Over 600 million UC Browser and UC Browser Mini Android users have been exposed to man-in-the-middle (MiTM) attacks.

More than 600 million users of the popular UC Browser and UC Browser Mini Android apps have been exposed to man-in-the-middle (MiTM) attacks by downloading an Android Package Kit (APK) from a third party server over unprotected channels.

The UC Browser is developed by UCWeb, a company owned by the Alibaba Group since 2014, and is the world’s fourth most popular mobile browser according to StatCounter.

Researchers at Zscaler were investigating an unusual activity when discovered some questionable connections to a specific domain, 9appsdownloading.. The requests were being made by the popular Browser app. 

Further investigation allowed the researchers to determine that the UC Browser app was attempting to download an additional Android Package Kit (APK) over an unsecured channel (HTTP over HTTPS). This practice violates the Google Play policy, and the use of an unsecured channel exposes the users to man-in-the-middle attacks. The use of unsecured channels could allow attackers to deliver and install an arbitrary payload on a target device to perform a broad range of malicious activities.

The analysis of the APK revealed that it was available on a third-party app store named 9Apps, with the com.mobile.indiapp package name.

Once installed on a device, the 9Apps app started scanning for installed applications and it allowed installing more apps from the third-party app store that were downloaded as APKs from the 9appsdownloading[.]com domain.

Researchers also pointed out that dropping an APK on external storage (/storage/emulated/0) could allow other apps, with appropriate permissions, to tamper with the APK.

Zscaler shared its findings to Google on August 13 and the discussion on the potential violation lasted until September 25.

On September 27 Google acknowledged the problems and reported them to UCWeb asking the development team to “update the apps and remediate the policy violation,” UCWeb addressed the issues in its apps.

“It is too early to determine exactly what the Browser developers intended with their third-party APK, but it is clear that they are putting users at risk. And with more than 500 million downloads of UC Browser, that is a significant threat.” concludes the analysis published by ZScaler.

“Because UC Browser downloads an unknown third-party app to devices over unsecured channels, those devices can become victim to man-in-the-middle (MiTM) attacks. Using MiTM, attackers can spy on the device and intercept or change its communications,”

In May, security researcher Arif Khan discovered a browser address bar spoofing flaw in the popular browser apps for Android.

Pierluigi Paganini

(SecurityAffairs – Android, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]