The extremely popular UC Browser and UC Browser Mini Android applications with a total of over 600 million installs expose their users to MiTM attacks by downloading and installing extra modules from their own servers using unprotected channels and bypassing Google Play's servers altogether.
According to a Google support document regarding Google Play "Privacy, Security, and Deception", Android apps "distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play."
"Anyone who has installed this software may be in danger. Doctor Web has detected its hidden ability to download auxiliary components from the Internet," as detailed in Doctor Web's analysis. "The browser receives commands from the command and control server and downloads new libraries and modules, which add new features and can be used to update the software."
Exposes users to MitM attacks
While the UC Browser and UC Browser Mini haven't yet been seen downloading and installing malicious code on the devices where it has been installed, given that it can download and install extra modules from its servers exposes users to potential risks.
As Doctor Web's research team explains in the report, "It’s impossible to be sure that cybercriminals will never get ahold of the browser developer’s servers or use the update feature to infect hundreds of millions of Android devices."
This unofficial update feature present in UC Browser can also be used by would-be attackers to perform man-in-the-middle attacks (MitM) attacks, potentially leading to remote code execution on compromised devices, because the app communicates with its servers using an unencrypted channel over HTTP.
Commands to download new plug-ins are sent encrypted from the command and control server. However, UC Browser communicates with a remote host via an unprotected HTTP channel.— I.Zhilyakov (@m0br3v) March 26, 2019
More info: https://t.co/GfhUDToFbC pic.twitter.com/Rq4yZZk0L0
Malicious actors who would successfully be able to inject their own content within the messages sent between the app and its update servers could steer the UC Browser app to download malicious modules from servers they control.
These modules would be subsequently launched on the devices where the app is installed seeing that it does not perform a check of the modules it installs —presumably because the development team considers all extra modules safe since they should only be downloaded from the company's servers.
Doctor Web's security researchers also created a MiTM attack demo video (embedded below), showing how a potential victim wants to view a PDF document using UC Browser and has to download a plug-in module to do it from the app's update servers.
The researchers intercept the message sent to the update server and replace the module with a specially crafted one designed to display a "PWNED!" message on the victim's device.
Doctor Web's researchers also mention that the UC Browser Mini application which also comes with the same update mechanism that circumvents the official Play Store update channels to download extra app modules is not affected by the MiTM vulnerability.
As Doctor Web's I. Zhilyakov told BleepingComputer, "This MiTM attack doesn't work against the UC Browser Mini app because it doesn't use the libpicsel library designed to work with MS Office documents and PDF files. However, it can also download and execute untested components, bypassing Google Play servers."
UC Browser for desktop also vulnerable
According to BleepingComputer's own findings after testing the update module available in the desktop UC Browser app it is also vulnerable to MiTM attacks which could allow bad actors to download malicious extensions on users' computers.
UC Browser for desktop also asks users to download extra modules for viewing PDF documents and it downloads them as Chrome extensions from the app's own update servers located in China over an insecure HTTP connection as shown in the screenshot below.
The research team contacted Google and UCWeb Inc. (also known as UC Mobile) , the company behind the two apps, to disclose the vulnerabilities discovered in the UC Browser and UC Browser Mini apps:
Upon detecting a dangerous feature in UC Browser and UC Browser Mini, Doctor Web specialists contacted the developer of both browsers, but they refused to comment on the matter. So our malware analysts then reported the case to Google, but as of the publication date of this article, both browsers are still available and can download new components, bypassing Google Play servers.
BleepingComputer also reached out to UCWeb Inc. and Google for comments but had not heard back at the time of this publication. This article will be updated when responses are received.
Update March 27 10:28 EDT: Added Doctor Web's I. Zhilyakov explanation on why the MiTM attack does not impact the UC Browser Mini app.