The highly popular UC Browser and UC Browser Mini Android apps, with a total of over 600 million Play Store installs, exposed their users to man-in-the-middle (MiTM) attacks by downloading an Android Package Kit (APK) from a third party server over unprotected channels.

Doing this is in direct violation of Google's app store rules as Android apps "distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism,"

"Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play," as Google also states on the Play Store's Privacy, Security, and Deception rules.

Install stats for UCWeb Android apps

While analyzing the apps' behavior, Zscaler ThreatLabZ researchers discovered the following three issues:

• Downloading an additional APK from a third party – in violation of Google Play policy

• Communication over an unsecured channel – opening doors to man-in-the-middle attacks

• Dropping an APK on external storage (/storage/emulated/0)

Security and privacy issues fixed

Zscaler reported the UC Browser's policy violation issues to Google on August 13 and exchanged e-mails with Google's team until September 25.

On September 27 Google confirmed the UC Browser and UC Mini issues discovered by the researchers and reached out to UCWeb to "update the apps and remediate the policy violation."

UCWeb subsequently updated and fixed the issues in both apps seeing that Zscaler later discovered that they stopped dropping third-party APKs on their users' Android devices.

"Because UC Browser downloads an unknown third-party app to devices over unsecured channels, those devices can become victim to man-in-the-middle (MiTM) attacks. Using MiTM, attackers can spy on the device and intercept or change its communications," says Zscaler.

"The UC Browser app’s use of unsecured channels also allows attackers to install an arbitrary payload on a device that can perform a variety of activities, such as display phishing messages designed to steal personal data, including usernames, passwords, and credit card numbers."

The third-party app store

UC Browser only downloaded the APK from the 9appsdownloading[.]com domain on the Android devices' external storage without actually installing it.

This either happened because this functionality was still under development at the time or because the test device might have not met a hardcoded condition like a "disabled unknown-sources option, or rooted device."

Zscaler's research team went further and, after installing APK, discovered that it was a third-party app store named 9Apps, with the com.mobile.indiapp package name.

After being launched on the test device, the 9Apps app started scanning for installed applications and it allowed installing more apps from its built-in app store, also downloaded as APKs from the 9appsdownloading[.]com domain.

Downloading apps from the 9Apps store

Zscaler detected other APK download requests from this domain, with over 130 of them within August as the company's cloud traffic monitoring solution shows.

"The tactics used by UC Browser and UC Mini violate Google Play security policies and make it possible for any malicious app to gain entry into a user's device," says Zscaler.

"While 9Apps, an app store for Android apps, is not a malicious site, we searched the domain using VirusTotal, which showed a number of detections."

9appsdownloading VirusTotal detections

"It is too early to determine exactly what the UC Browser developers intended with their third-party APK, but it is clear that they are putting users at risk. And with more than 500 million downloads of UC Browser, that is a significant threat," concludes Zscaler.

Previous UC Browser security and privacy issues

UC Browser, the market-leading mobile browser in China & India and the world’s fourth most popular mobile browser according to StatCounter, is developed by UCWeb, a company owned by Chinese Alibaba Group since 2014.

This is not the first time UC Browser users were at risk given that, as we previously reported during late-March, the app was observed by Doctor Web researchers while installing additional modules from UCWeb's servers via unsecured HTTP connections, also exposing them to man-in-the-middle (MiTM) attacks.

As BleepingComputer later also discovered, the desktop UC Browser app was also vulnerable to MiTM attacks potentially allowing attackers to download malicious extensions on users' computers.

Two months later, the two apps were also exposing their users to URL spoofing attacks as explained by security researcher Arif Khan who found the flaw and reported it to the apps' security team.

Citizen Lab also found several privacy and security issues with UC Browser in 2015, with the app being observed while leaking "a significant amount of personal and personally-identifiable data; as a result, any network operator or in-path actor on the network can acquire a user’s personally identifiable information (including cellular subscriber information, mobile device identifiers, geolocation data, and search queries) through trivial decrypting of traffic or by observing unencrypted traffic."

Further back, the Communications Security Establishment (CSE) — Canada’s signals intelligence agency — also noted UC Browser security vulnerabilities as revealed in a document leaked by Edward Snowden, according to a Canadian Broadcasting Corporation (CBC) report.

BleepingComputer has reached out to UCWeb for comment regarding the status of the security issue Zscaler found in their Android apps but had not heard back at the time of this publication. This article will be updated when a response is received.