Millions of Android users beware: Alibaba's UC Browser can be used to deliver malware

UC Browser, a hugely popular mobile browser from Alibaba-owned UCWeb, has a design flaw that allows attackers to swap out downloads from the company's servers with files from any server on the internet, according to researchers at Russian security firm Dr Web. 

The company has raised an alarm over the mobile browser because it can download additional software libraries without going through Google's official Play Store servers. 

"This violates Google Inc's rules and poses a serious threat because it enables any code, including malicious ones, to be downloaded to Android devices," Dr Web researchers warn. 

UC Browser has attracted a large user-base in India, with over 500 million downloads from the Play Store and is also available through third-party app stores. 

Dr Web researchers note that for now UC Browser represents a "potential threat" but warn that all users could be exposed to malware due to its design. 

"If cybercriminals gain control of the browser's command-and-control server, they can use the built-in update feature to distribute any executable code, including malware. Besides, the browser can suffer from MITM (man-in-the-middle) attacks," the security company notes.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The MITM threat arises because UCWeb committed the security blunder of delivering updates to the browser over an unsecured HTTP connection. 

"To download new plug-ins, the browser sends a request to the command-and-control server and receives a link to file in response. Since the program communicates with the server over an unsecured channel (the HTTP protocol instead of the encrypted HTTPS), cybercriminals can hook the requests from the application," explains Dr Web. 

"They can replace the commands with ones containing different addresses. This makes the browser download new modules from malicious server instead of its own command and control server. Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification."

The company warns that UCWeb's UC Browser Mini app could also expose users to malicious updates but doesn't suffer from the same MITM issue. It's been downloaded 100 million times from the Play Store. 

According to Dr Web, developers from UCWeb ignored its researchers' notification about the security issue. The company also reported the vulnerability to Google. However, as of now the apps remain available on the Play Store. 

ZDNet will update this story if it receives a response from UCWeb or Google.

Dr Web has posted a video on how a man-in-the-middle attack on UC Browser might work. Source: Dr Web/YouTube

More on Google and Android security

• Android users: Popular apps still send data to Facebook without your consent
• Two-thirds of all Android antivirus apps are frauds
• Android ecosystem of pre-installed apps is a privacy and security mess
• Android Security Bulletin March 2019: What you need to know TechRepublic
• Android security program has helped fix over 1M apps in Google Play CNET