The popular browser for smartphones 'UC Browser' can execute malicious code via Google Play


by Blogtrepreneur

The smartphone browser ' UC Browser ' is developed by UCWeb owned by Alibaba Group Holding, and is especially popular in China and India, and is said to have over 500 million users. However, the internet security company Doctor Web warns that 'UC Browser can download and execute any code, including malicious ones, via Google Play.'

Hundreds of millions of UC Browser users for Android are threatened
https://news.drweb.com/show/?i=13176&c=38&lng=en

Insecure UC Browser 'Feature' Lets Hackers Hijack Android Phones Remotely
https://thehackernews.com/2019/03/uc-browser-android-hacking.html

According to Doctor Web, although UC Browser itself is not embedded with malicious software etc., it has a function to load and launch an unverified module. UC Browser downloads the plug-in via the HTTP protocol, not the encrypted HTTPS protocol, so third parties can download and launch malicious modules.

For this reason, it becomes a target of a Man-in-the- middle (MITM) attack where your smartphone is taken over and used as a foothold for an attack on a third party, or a Trojan horse is downloaded and executed, There is also a risk that the stored username, password, credit card number etc. will be stolen.

By Rawpixel

When Doctor Web reports this vulnerability to the development company UCWeb, UCWeb rejects the answer. Doctor Web reports a problem to Google because UC Browser violates the Google Play terms of 'downloaded application must not modify its own code or download software from a third party' It seems to have done. At the time of the article publication, UC Browser was downloadable from on Google Play.


in Mobile,   Software,   Security, Posted by log1k_iy