A popular web browser’s hidden ability poses a serious risk to more than 500 million Google Play users and their Android devices.

Malware analysts at Doctor Web recently observed that UC Browser, a web browser developed by the Alibaba-owned Chinese mobile Internet company UCWeb, can secretly download and execute new libraries and modules from third-party services. Such a function places UC Browser in violation of Google Play’s rules for software distributed in its app store. It also undermines the security of 500 million Google Play users who’ve downloaded the app in the past.

One of the biggest dangers here is that digital criminals could seize control of the browser developer’s servers and use its hidden feature to load trojans or other unwanted software. Digital attackers could also use the function to perform man-in-the-middle (MitM) attacks. As Doctor Web’s researchers explain in a blog post:

To download new plug-ins, the browser sends a request to the command and control server and receives a link to file in response. Since the program communicates with the server over an unsecured channel (the HTTP protocol instead of the encrypted HTTPS), cybercriminals can hook the requests from the application. They can replace the commands with ones containing different addresses. This makes the browser download new modules from malicious server instead of its own command and control server. Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification.

You can see an example of such an attack at work in the video below.

In its analysis, the Russian anti-malware company found that UC Browser Mini can mimic its big brother by downloading untested components and bypassing Goggle’s servers. This ability threatens 100 million Google Play users with the risk of a malware infection. It does not, however, enable criminals to conduct a MitM attack as with UC Browser.

Following its discovery, Doctor Web reached out to the developer of UC Browser and UC Browser Mini. When the developer refused to comment, it contacted Google about the apps’ concerning behavior. The security firm is still waiting on a response.

Both programs are still available for download from Google’s Play Store at the time of this writing.