March 26, 2019

Doctor Web malware analysts have detected a hidden ability within the popular UC Browser to download and run questionable code on mobile devices. The application is capable of downloading auxiliary software modules, bypassing Google Play servers. This violates Google Inc.’s rules and poses a serious threat because it enables any code, including malicious ones, to be downloaded to Android devices.

As of now, UC Browser has been downloaded by over 500,000,000 Google Play users. Anyone who has installed this software may be in danger. Doctor Web has detected its hidden ability to download auxiliary components from the Internet. The browser receives commands from the command and control server and downloads new libraries and modules, which add new features and can be used to update the software.

For example, during our analysis, UC Browser downloaded an executable Linux library from a remote server. The library was not malicious; it is designed to work with MS Office documents and PDF files. Initially, this library was not in the browser. After downloading, the program saved the library to its directory and launched it for execution. Thus, the application is actually able to receive and execute code, bypassing the Google Play servers. This violates Google’s rules for software distributed in its app store. The current policy states that applications downloaded from Google Play cannot change their own code or download any software components from third-party sources. These rules were applied to prevent the distribution of modular trojans that download and launch malicious plug-ins. Such trojans include Android.RemoteCode.127.origin and Android.RemoteCode.152.origin reported by our company in January and April 2018.

A potentially dangerous updating feature has been present in the UC Browser since at least 2016. Although the application has not been seen distributing trojans or unwanted software, its ability to load and launch new and unverified modules poses a potential threat. It’s impossible to be sure that cybercriminals will never get ahold of the browser developer’s servers or use the update feature to infect hundreds of millions of Android devices.

The vulnerable feature of UC Browser can be used to perform man-in-the-middle attacks (MITM). To download new plug-ins, the browser sends a request to the command and control server and receives a link to file in response. Since the program communicates with the server over an unsecured channel (the HTTP protocol instead of the encrypted HTTPS), cybercriminals can hook the requests from the application. They can replace the commands with ones containing different addresses. This makes the browser download new modules from malicious server instead of its own command and control server. Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification.

See below an example of such an attack, modeled by our virus analysts. The video shows a potential victim who downloads a PDF document via UC Browser and tries to view it. To open the file, the browser tries to download the corresponding plug-in from the command and control server. However, due to the MITM substitution, the browser downloads and launches a different library. This library then creates a text message that says, “PWNED!”.

Thus, MITM attacks can help cybercriminals use UC Browser to spread malicious plug-ins that perform a wide variety of actions. For example, they can display phishing messages to steal usernames, passwords, bank card details, and other personal data. Additionally, trojan modules will be able to access protected browser files and steal passwords stored in the program directory.

Read more about this vulnerability here.

The browser’s “younger brother”, the UC Browser Mini application, can also download untested components, bypassing Google Play servers. It has been equipped with this feature since at least December 2017. So far, over 100,000,000 Google Play users have downloaded the program, putting them all at risk. However, the above MITM attack will not work with UC Browser Mini, unlike UC Browser.

Upon detecting a dangerous feature in UC Browser and UC Browser Mini, Doctor Web specialists contacted the developer of both browsers, but they refused to comment on the matter. So our malware analysts then reported the case to Google, but as of the publication date of this article, both browsers are still available and can download new components, bypassing Google Play servers. Owners of Android devices should independently decide whether to continue using these programs or remove them and wait until they are updated to fix potential vulnerabilities.

Meanwhile, Doctor Web continues monitoring the situation.