500 million users exposed to MITM attacks; don’t use UC browser

Although many people ignore it, Google states that Android apps available on the Play Store cannot be updated or modified from third-party sources, although web application security experts say it is possible to bypass this security measure.

A security report mentions that the developers of the popular UC browser has violated this security policy, which has caused its more than 500k users to be exposed to Man-inThe-Middle (MiTM) attacks, due to the download of a third-party APK using an unsecured channel. As mentioned in previous occasions, a MiTM attack occurs when a hacker infiltrates communications between two parties with malicious motivations.

The report, prepared by web application security researchers from ThreatLabZ, mentions that the UC browser has been sending users a request to download an additional Android Package Kit (APK) from an external domain to Play Store (9appsdownloading<.>com). UC Browser Mini, another of the company’s developments, which also has more than 100 million downloads, has also been sending these requests.

Experts claim that the company did download these additional APKs to the victims’ external storage units, although it failed in its attempt to install the package on the device, probably because this APK is still in development. The function to prevent the installation of software from unknown sources on Android might also influence this behavior.

However, even if the APK is not installed successfully, web application security experts claim that Android device users are still at risk, as downloading this APK is done via an unsecured channel.

This is not the first time UC Browser has exposed the security of users of this operating system. A few months ago, web application security experts from the International Institute of Cyber Security (IICS) reported the presence of similar activity linked to the UC browser, which downloaded an executable Linux library from a server controlled by an unknown company.

On that occasion, the experts tried to contact the developer company, but the developer refused to issue statements. Although Google was also alerted about this practice, apps never ceased to be available on the Play Store.  Despite these security drawbacks, UC Browser remains one of the leading companies in mobile browsers.