Hundreds of millions of UC Browser Android Users exposed to MiTM attacks

Over 600 million UC Browser and UC Browser Mini Android users have been exposed to man-in-the-middle (MiTM) attacks.

More than 600 million users of the popular UC Browser and UC Browser Mini Android apps have been exposed to man-in-the-middle (MiTM) attacks by downloading an Android Package Kit (APK) from a third party server over unprotected channels.

The UC Browser is developed by UCWeb, a company owned by the Alibaba Group since 2014, and is the world’s fourth most popular mobile browser according to StatCounter.

Researchers at Zscaler were investigating an unusual activity when discovered some questionable connections to a specific domain, 9appsdownloading[.]com. The requests were being made by the UC Browser app.

Further investigation allowed the researchers to determine that the UC Browser app was attempting to download an additional Android Package Kit (APK) over an unsecured channel (HTTP over HTTPS). This practice violates the Google Play policy, and the use of an unsecured channel exposes the users to man-in-the-middle attacks. The use of unsecured channels could allow attackers to deliver and install an arbitrary payload on a target device to perform a broad range of malicious activities.

The analysis of the APK revealed that it was available on a third-party app store named 9Apps, with the package name.

Once installed on a device, the 9Apps app started scanning for installed applications and it allowed installing more apps from the third-party app store that were downloaded as APKs from the 9appsdownloading[.]com domain.

Researchers also pointed out that dropping an APK on external storage (/storage/emulated/0) could allow other apps, with appropriate permissions, to tamper with the APK.

Zscaler shared its findings to Google on August 13 and the discussion on the potential violation lasted until September 25.

On September 27 Google acknowledged the problems and reported them to UCWeb asking the development team to “update the apps and remediate the policy violation,” UCWeb addressed the issues in its apps.

“It is too early to determine exactly what the UC Browser developers intended with their third-party APK, but it is clear that they are putting users at risk. And with more than 500 million downloads of UC Browser, that is a significant threat.” concludes the analysis published by ZScaler.

“Because UC Browser downloads an unknown third-party app to devices over unsecured channels, those devices can become victim to man-in-the-middle (MiTM) attacks. Using MiTM, attackers can spy on the device and intercept or change its communications,”

In May, security researcher Arif Khan discovered a browser address bar spoofing flaw in UC Browser and UC Browser Mini apps for Android.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase