The popular Android browser UC Browser was found to break several Google mobile app rules possibly placing up to 500 million of its users at risk.
UC Browser, which is available from the Google Play store, was found by Zscaler ThreatLabZ team to be making some highly questionable moves once downloaded, many of which go against Google’s stated app policies. It has more than 500 million downloads.
The Google rules broken include altering the app, which is done when a third-party Android Package Kit is dropped onto the device, communicating over an unsecured channel and dropping an APK into external storage.
The third-party APK, which is sent through HTTP not HTTPS, that is dropped is not actually installed, but just resides in the external storage. The fact that the APK does nothing has stumped the researchers, but the working theory is the full functionality may still under development or it simply is having troubles completing the install process.
“It is too early to determine exactly what the UC Browser developers intended with their third-party APK, but it is clear that they are putting users at risk. And with more than 500 million downloads of UC Browser, that is a significant threat,” the report said.
ThreatLabZ took the extra step and manually installed it to see what would happen and found it to be a third-party app store named 9 Apps. 9 Apps immediately scans the device’s apps and then offers up several additional apps to the device owner, including adult apps.
Even if the APK is not dangerous using an unsecured channel to download it opens the user to man-in-the-middle attacks that ca result in additional downloads, spying, displaying phishing messages that could lead to data being stolen.
These promoted apps do exist and can be downloaded, but the connection with 9 Apps also continues in the background with ThreatLabZ noting that in the following weeks the 9 Apps domain attempted to push through additional APKs to the device.
9 Apps was not found to be a dedicated malicious site, Zscaler searched it using VirusTotal which detected a number of detections.
Google was notified of what was transpiring and the ThreatLabZ team then noticed it then no longer downloaded the third-party app store. UC Browser has informed SC Media that it fixed the issue.
UC Browser was developed by the Singapore/China-based mobile internet company UCWeb, which is in turn owned by the Chinese-owned Alibaba Group.