- The browser downloaded an additional Android Package Kits (APKs) from a third party domain over an unsecured channel.
- The use of unprotected channels could allow attackers to install an arbitrary payload on a device and perform a variety of malicious activities.
The highly popular UC Browser and UC Browser Mini Android apps had exposed 500 million users to MITM attacks by violating Google Play Store policies.
It violated Google’s app store rules that said “Android apps distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play.”
What’s the matter?
While analyzing the app’s behavior, Zscaler ThreatLabZ researchers discovered the following issues:
- The browser downloaded an additional Android Package Kits (APKs) from a third party domain - 9appsdownloading[.]com - over an unsecured channel.
- Communication over an unsecured channel opened doors to man-in-the-middle attacks.
- The downloaded APKs were dropped on the user’s external storage and failed to install the same package in the device.
Researchers reported that the UC Browser failed to install the package on the device because the functionality was still under development or because the test device might have not met a hardcore condition like a "disabled unknown-sources option, or rooted device.”
What could be the impact?
The use of unprotected channels could allow attackers to install an arbitrary payload on a device and perform a variety of malicious activities. This includes displaying phishing messages designed to steal personal data including usernames, passwords, and credit card numbers.
How the issue has been addressed?
Zscaler reported the UC Browser’s policy violation issues to Google on August 13 following which the IT giant reached out to UCWeb. Google asked the UCWeb to ‘update the apps and remediate the policy violation.’
UCWeb subsequently updated and fixed the issue in both apps.