UC Browser for Android has been saddled with a flaw in the "hidden" feature used to side-load new libraries and modules from the company's servers unto users' devices, which could be exploited by hackers to remotely download and execute malicious code on Android phone.
According to Dr. Web, the browser downloads new plugins from the UCWeb server over an insecure HTTP protocol, thus opening the browser up to hackers who can remotely perform a man-in-the-middle (MiTM) attacks to push malicious modules to targeted users' devices.
And given that UC Browser works with even unsigned plug-ins, it could launch the malicious modules without any form of verification, with the hackers having only to hook up to the server response from http://puds.ucweb.com/upgrade/index.xhtml?dataver=pb, replacing the link to the plug-in and the values of attributes.
The researchers at Dr. Web demonstrated just how easy it is to replace a plugin to view PDF documents over a malicious code using an MiTM attack, by forcing UC Browser into compiling a new message, instead of to open the file.
These sort of attacks can be leveraged by cybercriminals to spread malicious plug-ins, which can be used to display phishing messages aimed at stealing the username and password of users, including banking details, and other personal information.
Also, the Trojan modules could be used to access protected browser files to steal passwords that are stored in the program directory.
This flaw is present in both UC Browser and UC Browser Mini, even the latest version of the browsers released to date. And surprisingly, UC Browser is among the most popular mobile browsers, especially in India, and the home country China, with massive user base of over 500 million users worldwide.