consider uninstalling it immediately.
Why? Because the China-made UC Browser contains a “questionable”
ability that could be exploited by remote attackers to
automatically download and execute code on your Android
devices.
Developed by Alibaba-owned UCWeb, UC Browser is one of the most
popular mobile browsers, specifically in China and India, with a
massive user base of more than 500 million users worldwide.
According to a new report published today by Dr. Web
firm, since at least 2016, UC Browser for Android has a “hidden”
feature that allows the company to anytime download new libraries
and modules from its servers and install them on users’ mobile
devices.
Pushing Malicious UC Browser Plug-ins Using MiTM Attack
What’s worrisome? It turns out that the reported feature
downloads new plugins from the company server over insecure HTTP
protocol instead of encrypted HTTPS protocol, thus allowing remote
attackers to perform man-in-the-middle (MiTM) attacks and push
malicious modules to targeted devices.
malicious modules without any verification,” the researchers say.
“Thus, to perform an MITM attack, cybercriminals will only need
to hook the server response from
http://puds.ucweb.com/upgrade/index.xhtml?dataver=pb, replace the
link to the downloadable plug-in and the values of attributes to be
verified, i.e., MD5 of the archive, its size, and the plug-in size.
As a result, the browser will access a malicious server to download
and launch a Trojan module.”
In a PoC video shared by Dr. Web, researchers demonstrated how they
were able to replace a plugin to view PDF documents with a
malicious code using an MiTM attack, forcing the UC Browser into
compiling a new text message, instead of opening the file.
“Thus, MITM attacks can help cybercriminals use UC Browser to
spread malicious plug-ins that perform a wide variety of actions,”
researchers explain.
“For example, they can display phishing messages to steal
usernames, passwords, bank card details, and other personal data.
Additionally, trojan modules will be able to access protected
browser files and steal passwords stored in the program
directory.”
UC Browser Violates Google Play Store Policies
Since the ability allows UCWeb to download and execute arbitrary
code on users’ devices without reinstalling a full new version of
UC Browser app, it also violates the Play Store policy by bypassing
Google servers.
“This violates Google’s rules for software distributed in its app
store. The current policy states that applications downloaded from
Google Play cannot change their own code or download any software
components from third-party sources,” the researchers say.
“These rules were applied to prevent the distribution of modular
trojans that download and launch malicious plugins.”
UC Browser Mini, with all version affected including the latest
version of the browsers released to this date.
Dr. Web responsibly reported their findings to the developer of
both UC Browser and UC Browser Mini, but they refused even to
provide a comment on the matter. It then reported the issue to
Google.
At the time of writing, UC Browser and UC Browser Mini are
“still available and can download new components, bypassing Google
Play servers,” researchers say.
Such a feature can be abused in supply chain attack scenarios
where company’s server get compromised, allowing attackers to push
malicious updates to a large number of users at once—just like we
recently saw in ASUS supply chain
attack[2] that compromised over 1
million computers.
So, users are left with just one choice to make… get rid of it
until the company patches the issue.
References
- ^
new report
(news.drweb.com) - ^
ASUS supply chain attack
(thehackernews.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/I8r1CLUbm5c/uc-browser-android-hacking.html