This article originally appeared in Infosecurity Magazine on March 28, 2019.
More than 500 million Android users have been put at risk of a man in the middle (MITM) attack resulting from a popular web browser's ability to secretly download auxiliary components from the internet, according to blog posts from both Tripwire and Dr.Web.
Researchers noted that UC Browser for Android and UC Browser Mini for Android applications have the hidden ability to download and install extra modules from their own servers using unprotected channels and bypassing Google Play's servers altogether, a clear violation of the rules of the Google Play store.
"The browser receives commands from the command and control server and downloads new libraries and modules, which add new features and can be used to update the software," the Dr. Web blog stated.
"During our analysis, UC Browser downloaded an executable Linux library from a remote server. The library was not malicious; it is designed to work with MS Office documents and PDF files. Initially, this library was not in the browser. After downloading, the program saved the library to its directory and launched it for execution. Thus, the application is actually able to receive and execute code, bypassing the Google Play servers. This violates Google's rules for software distributed in its app store."
Researchers at Tripwire disagreed in part with Dr. Web's reporting noting that with the UC Browser, an attacker could take control of the browser developer’s servers and load malicious software using this hidden feature. However, with the UC Browser Mini, "this ability threatens 100 million Google Play users with the risk of a malware infection. It does not, however, enable criminals to conduct a MITM attack as with UC Browser."
That is not the only way that bad actors could exploit the browser, said Usman Rahim, digital security and operations manager at The Media Trust.
“Bad actors can insert their code through insecure third-party code suppliers. Browsers and other apps are being developed within ever shorter timescales and with a traditional security mindset where the security deficiencies of a product are determined after it has been designed, not before and during. Third parties are often not carefully vetted for security capabilities. Moreover, security considerations fail to receive the priority and resources they require and are, instead, treated as unnecessary costs—that is, of course, until a breach happens.”