Skip to main content

WARNING — 500 Million+ UC Browser Android Users are Vulnerable to Man-in-the-Middle Attacks

WARNING — 500 Million+ UC Browser Android Users are Vulnerable to Man-in-the-Middle Attacks
Researchers discovered various unusual activities and vulnerabilities in UC Browser for the Android platform and it also violating the Google Play policies and exposing more than 500 million users to Man-in-the-Middle (MitM) attacks.

UC Browser is the most popular browser in the Android platform with more than 500 million downloads from the Google Play Store. And UC Browser Mini also has 100 million+ downloads from the Google Play Store alone.

So, More than 600 million users of the popular UC Browser and UC Browser Mini Android apps have been vulnerable to Man-in-the-Middle (MitM) attacks.

Recent research from Zscaler reveals that the UC Browser and UC Browser Mini apps unusually made a request over an unsecured channel (HTTP over HTTPS) to download an additional Android Package Kit (APK) from the third-party source onto the Android user's devices.

The researchers noticed that the UC Browser and UC Browser Mini app were sending requests to download an additional APK (Android Package Kit) from a particular domain named 9appsdownloading.com.

According to the researchers, both browsers downloaded the additional APKs but did not install them on the Android user's device. it is possible that this functionality is still under development or another reason for the additional APKs not installing could be the Android settings that prevent apps from unknown sources from installing.

It is important to note that even if the APK is not installed on a device, the UC Browser and UC Browser Mini users are still vulnerable to Man-in-the-Middle (MitM) attacks because the APK (Android Package Kit) file was downloaded from an unsecured channel.

There are 3 main unusual activities found from UC Browser and UC Browser Mini app in this research :
1. Downloading an additional APK (Android Package Kit) from a third party – in violation of Google Play policy
2. Communication over an unsecured channel (HTTP over HTTPS) – opening doors to Man-in-the-Middle (MitM) attacks.
3. Dropping an APK (Android Package Kit) on external storage (/storage/emulated/0) – allowing other apps, with appropriate permissions, to modification with the APK
So, It is important to note that these problems have the ability to affect millions of Android users because the UC Browser app has been downloaded 500 million+ times and the UC Browser Mini app has been downloaded 100 million+ times.
WARNING — 500 Million+ UC Browser Android Users are Vulnerable to Man-in-the-Middle Attacks

1. Downloading an additional APK

After completing the installation process, researchers noticed that the UC Browser and UC Browser Mini app sending multiple requests with redirections and finally drop an additional APK on the Android user's device. The additional APK dropped into external storage of the device but there is no sign of installation process of that additional APK.
WARNING — 500 Million+ UC Browser Android Users are Vulnerable to Man-in-the-Middle Attacks

According to Google Play policy, Apps should not download additional APK from any third-party source.

So, This functionality of dropping additional APK from a third-party source clearly violates Google Play's policy, which includes the following :

"An app distributed via Google Play may not replace, modify or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code files (e.g. JAR, dex, .so) from a source other than Google Play."

2. Communication over an Unsecured channel

UC Browser and UC Browser Mini app downloaded the additional APK from completely unsecured communication channel (HTTP over HTTPS) that open door for Man-in-the-Middle (MitM) attacks.

3. Dropping an APK on external storage

An additional APK file that is being downloaded by UC Browser and UC Browser Mini app from third-party source is stored on external storage which is readable by default.

An APK being placed on external storage, any other app with storage permission can have access to this location and can modify the downloaded APK.

Analysis of the Dropped APK

Since there wasn't any installation behavior, the researcher manually tried to install the downloaded APK file and found that the downloaded APK was a third-party app store named "9 Apps" with the package name com.mobile.indiapp.
WARNING — 500 Million+ UC Browser Android Users are Vulnerable to Man-in-the-Middle Attacks

Once installed on a device, the 9Apps app started scanning for installed applications on the user's device and it allowed installing more apps from its built-in app store. Further analysis also revealed that a third-party app store named 9Apps also distributing several adult apps and it downloaded from a domain named 9appsdownloading.com.

This functionality of the UC Browser and UC Browser Mini app violates the Google Play policy and makes it possible for any malicious app to gain entry into a user's device. So, it is clear that they are putting more than 600 million users at risk.

After Google's intervention, the latest version of both the apps, UC Browser and UC Browser Mini has stopped downloading additional APK from a third-party source. So, UC Browser and UC Browser Mini users are advised to update the latest version.

I hope you find useful information in this article. If you have any questions related to UC Browser's vulnerability then please mention in the comments section and I will get back to you and stay tuned with my blog to learn interesting things related to cybersecurity and hacking.
Labels:

Comments

Post a Comment

Popular posts from this blog

How To Check If a Link Is Safe To Click

Many times, we share links among our friends on social media platforms like WhatsApp, Facebook, Instagram or Twitter. But do we know how safe they are? What can happen if you click on any malicious link? We never think of the following things : Links can drop various harmful programs, viruses on your device Links can steal your personal data by dropping spyware or keyloggers Use your browser for crypto mining which will affect your device's performance Even if your device is secured with antivirus, not all of them warn you before clicking such malicious links . And the moment you click on these, they will become big trouble for you. This can sometimes even be dangerous with regard to data security and identity theft. So, Be careful about what you click on. These days one of the quickest growing security issues is ransomware , which is often spread by the user unintentionally clicking dangerous links in emails, social media platforms, messengers, and other tool
145 comments
Read more

How To Enable WhatsApp Fingerprint Lock Feature on Android

WhatsApp has officially rolled out the fingerprint lock feature for all the Android users. Most of you may already have been doing it for the last few years with the help of third-party app lockers for adding more security. Keeping that in mind and to make the process quicker and safer at the same time, WhatsApp has now launched this new fingerprint lock feature so that you can open the app by your fingerprint. It means that regardless of whether the phone is opened, others won't have the option to gain access to the messages without your fingerprint. So, you can now secure your WhatsApp conversations with an extra layer of biometric security . With this step, WhatsApp is finally offering biometric authentication to the Android app, while iPhone users enjoying both the Touch ID that is the fingerprint recognition and Face ID that is the facial recognition since the month of February 2019. WhatsApp is also giving more options with the new fingerprint lock featur
50 comments
Read more

TikTok Secretly Sent Users Private Data & PII Number to Chinese Server Including Draft Videos

The popular Android and iOS short-videos creating app, TikTok hit with a lawsuit claims that the app illegally and secretly transfers app's users' private sensitive data and Personally Identifiable Information (PII) to Chinese servers. TikTok which is a 15-second short-video creating app especially popular among the younger generation and also downloaded over 1.3 Billion times worldwide . TikTok remains top in the most downloaded app list for months on the Apple App Store and Google Play Store.  According to the lawsuit, Tiktok shared the user's created videos which include private acts and closeups of user's faces (biometric data) before the videos are saved on the app. TikTok provides many options includes the next button, close button, and button for effects to its users while recording the video. Here, the next button takes users to the screen that shows these two options : "post" and "save".  After clicking on the "next" button, Tik
76 comments
Read more