500M+ Android users exposed to vulnerability in Alibaba’s UC Browser

500M+ Android users exposed to vulnerability in Alibaba’s UC Browser
featured image

This article originally appeared in SiliconANGLE on March 27, 2019.

UC Browser, a web browser offered on the Google Play Store with more than 500 million downloads, has been found to contain a vulnerability that could allow hackers to insert malicious files on a user’s device.

Discovered by researchers at antivirus firm Doctor Web Ltd. and revealed Tuesday, the vulnerability relates to how the browser download updates. Instead of downloading updates via Google Play, the browser downloads updates through a direct HTTP communication, introducing the risk of a man-in-the-middle attack. A so-called MitM attack occurs when a third party intercepts data between two points, stealing that data or inserting their own code.

UC Browser, designed by UCWeb Inc, a fully owned division of Chinese e-commerce giant Alibaba Group Holding Co. Ltd., downloads updates via an unsecured web connection, opening the door to such an attack. Worse still, this breaks Google Play’s terms and conditions. All apps in the store must provide updates from Google Play for security purposes.

“This violates Google Inc’s rules and poses a serious threat because it enables any code, including malicious ones, to be downloaded to Android devices,” the researchers noted.

The same vulnerability also afflicts UC Browser Mini, a separate app from the same company with more than 100 million downloads in the Google Play Store.

Usman Rahim, digital security and operations manager at The Media Trust, told SiliconANGLE that browsers and other apps are being developed ever faster but with a traditional security mindset where the security deficiencies of a product are determined after it has been designed. “Third parties are often not carefully vetted for security capabilities,” he said. Moreover, security considerations fail to receive the priority and resources they require, treated as unnecessary costs.

“Companies shouldn’t wait until they fall victim to an attack or to benign negligence,” Rahim said. “They should build data security and compliance into an app’s entire product lifecycle; they need to scan their apps to find out what happens to users who download, use, and update the app.”