Alibaba's Popular UC Browser For Android Can Be Exploited To Distribute Malware

UC Browser
Remember when malware on mobile devices was not really a thing? Neither do we, not anymore. Hackers and cyber miscreants go where the numbers are, and there are a lot of people who own a mobile device these days. As it relates to that, a security firm has discovered a serious vulnerability in a hugely popular Android app.

Called UC Browser, the app has been downloaded by more than 500 million Google Play users. It currently sits at a fractionally better than 4-star rating (out of 5 stars) out of around 19.5 million user reviews. In case you have never heard of it, UC Browser is a free web browser for Android devices that allows users to search, download, share videos, and so forth.

Developed by Alibaba-owned UCWeb, the browser has a hidden ability to download and run "questionable code" on Android phones and tablets, according to security researchers at Doctor Web.

"For example, during our analysis, UC Browser downloaded an executable Linux library from a remote server. The library was not malicious; it is designed to work with MS Office documents and PDF files. Initially, this library was not in the browser. After downloading, the program saved the library to its directory and launched it for execution. Thus, the application is actually able to receive and execute code, bypassing the Google Play servers," Doctor Web said.

While that particular example is benign, the functionality could just as easily be used to distribute malware. That is a scary proposition for an app that has been downloaded by half a billion Android users. The ability to do so also runs afoul of Google's rules for distributing software in its app store.

"The current policy states that applications downloaded from Google Play cannot change their own code or download any software components from third-party sources. These rules were applied to prevent the distribution of modular Trojans that download and launch malicious plug-ins," Doctor Web added.

This vulnerability has been present in UC Browser since at least 2016. On the bright side, there are no known instances of it being leveraged to distribute malware. However, the potential is certainly there, and could be used to perform man-in-the-middle (MITM) attacks. Doctor Web demonstrated this in a proof-of-concept posted to YouTube. Here's a look...

This same vulnerability exists in UC Browser Mini, a smaller version of UC Browser. While not quite as popular, UC Browser Mini has notched over 100 million downloads.

Doctor Web says the developers of UC Browser and UC Browser Mini have been unresponsive to its notification of the security issue. The security outfit also reported the apps to Google, but as of this writing, they remain available in Google Play.