Security researchers have discovered a hidden feature in UC browser which allows attackers to download and execute code in any android devices. This feature exposes millions of users to Man-in-the-Middle Attacks.
UC browser is one of the most popular browsers in the Android platform with more than 500 million users worldwide.
According to Dr web firm, a hidden feature in UC browser allows downloading of auxiliary software modules and bypassing Google Play servers.
“Doctor Web malware analysts have detected a hidden ability within the popular UC Browser to download and run questionable code on mobile devices. The application is capable of downloading auxiliary software modules, bypassing Google Play servers. “
Attackers can download new modules and libraries from its servers and execute it on any android devices.
Researchers tested this by downloading an executable Linux library (not malicious) from a remote server. After downloading it was saved to its directory and launched it for execution.
The application was able to receive and execute code and bypass Google Play servers.
This violates Google’s rules for software distributed in its app store by allowing to change its own code or download any software components from third-party sources.
This hidden feature can also be leveraged by attackers to perform man-in-the-middle attacks (MITM) in users device
To download new plug-ins, UC browsers sends a request to the C&C server and receives a link in response.
Here the browser communicates with the server over an unsecured HTTP protocol instead of the encrypted HTTPS protocol.
Attackers can use this to replace the commands with ones containing different addresses and make browser download new modules from the malicious server instead of its own server.
“Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification.”
“Thus, MITM attacks can help cybercriminals use UC Browser to spread malicious plug-ins that perform a wide variety of actions. For example, they can display phishing messages to steal usernames, passwords, bank card details, and other personal data. Additionally, trojan modules will be able to access protected browser files and steal passwords stored in the program directory. “ said in the post published by Researches.
This critical issue affects both UC browser and UC browser mini versions.
The Researcher said he has notified both Google and UC browser team about the issue. As of now, both browsers are still available to download.
Users are advised to uninstall the browsers until the issue is fixed. researchers also published a PoC video demonstrating teh man-in-the-middle attack which can be seen below:
You may be interested in reading:New Zero-day flaw in Google Chrome Discovered Actively Exploited in the Wild