A recent report has revealed that UC browser has gone ahead to violate policies of Google Play Store and in the process put the users of the Android version at risk.
The policies of Google Play Store state that the Android apps stored on the platform cannot be updated or modified from third-party sources other than Google Play Store itself. The UC browser, according to the report, clearly didn’t follow the rules.
UC made the browser available for download from a third-party source over an unsecured channel, risking the over 500 million users. The move made the users vulnerable to “man in the middle” (MiTM) attacks. MiTM is the kind of attack in which the attacker gets access to come between two communicating parties. Thereby, the attacker has access to whatever is being communicated.
ThreatLabZ researchers first discovered this activity. The researchers noticed that the UC browser app was sending requests to download an additional Android Package Kit (APK) from a particular domain: 9appsdownloading.com.
The ThreatLabZ researchers also discovered that the UC Browser Mini, made by the same developer with over 100 million downloads, was also using the same process. It was also downloading an APK from a remote server onto the Android user’s devices.
According to the researchers, the browser downloaded the additional APKs but did not install them on the user’s device. This, the researchers say, was probably because whatever sketchy activity UC was doing was still under development.
Another reason for the additional APKs not installing could be the Android settings that prevent apps from unknown sources from installing.
Whatever the case, this is something the users of the Android version of the UC browser should be concerned about. This is because the downloads are done via an unsecured channel which leaves them vulnerable to MiTM attacks.
The violation was reported to Google back in August this year and Google has confirmed that there was indeed an issue. Consequently, Google has asked the developers to fix it.
Though UC Browser is one of the top browsers in the Android world, its issues of security keep building up. In March this year, it was discovered by researchers at Dr. Web that the UC browser downloaded an executable Linux library from a remote server.
Personally, I wouldn’t really advise anyone to use any other browser aside from the one that came with the device…unless, of course, that browser is Internet Explorer!