If you’re one of the millions of people using Alibaba’s UC Browser, you might want to stop for the time being. Researchers with Dr. Web Anti-Virus have discovered that UC Browser is capable of bypassing Google Play’s servers to download additional software modules and libraries, potentially allowing malicious code to be downloaded. The worry isn’t necessarily that the Alibaba-owned UCWeb will load malware onto user devices, but the way it secures its command server leaves the door open for others to do just that.
There are a number of problems with the way UC Browser receives these additional libraries. For starters, bypassing Google’s servers and verification process is obviously a violation of Google Play’s rules, which prohibit apps hosted on the service from downloading new components from sources other than the Play Store. Dr. Web points out that UC Browser has been using this method of software delivery since 2016, which is particularly worrisome when you learn that the command and control server UC Browser uses pushes software over HTTP.
This is where the real trouble comes in: since UC Browser is downloading software over the unencrypted HTTP instead of the more secure HTTPS, that opens the potential for man-in-the-middle attacks. It’s possible that hackers can intercept those requests for software from UC Browser and use it to push malware to the app, leaving users at risk of falling victim to phishing scams or worse.
UC Browser will run whatever it winds up downloading too, since it doesn’t verify new plug-ins and will run them even if they’re unsigned. With 500 million downloads, this vulnerability is definitely putting a lot of people at risk. Dr. Web notes in its report that UC Browser Mini – an alternative to the standard UC Browser which has more than 100 million downloads – is also susceptible to the same kind of attacks.
Dr. Web says that it has reported these vulnerabilities to both the app author and Google, but at the time it published its report (and, indeed, at the time of this writing) both apps were still available on the Google Play Store. While we wait for Alibaba to respond to this report, it’s probably a good idea to uninstall UC Browser, lest you put yourself at risk for those man-in-the-middle attacks detailed above.