UC Browser Puts Over 500 Million Android Users at Risk by Violating Google Play Store Policie
- The browser downloaded an additional Android Package Kits (APKs) from a third party domain over an unsecured channel.
- The use of unprotected channels could allow attackers to install an arbitrary payload on a device and perform a variety of malicious activities.
It violated Google’s app store rules that said “Android apps distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play.”
What’s the matter?
While analyzing the app’s behavior, Zscaler ThreatLabZ researchers discovered the following issues:
- The browser downloaded an additional Android Package Kits (APKs) from a third party domain - 9appsdownloading[.]com - over an unsecured channel.
- Communication over an unsecured channel opened doors to man-in-the-middle attacks.
- The downloaded APKs were dropped on the user’s external storage and failed to install the same package in the device.
What could be the impact?
The use of unprotected channels could allow attackers to install an arbitrary payload on a device and perform a variety of malicious activities. This includes displaying phishing messages designed to steal personal data including usernames, passwords, and credit card numbers.
How the issue has been addressed?
Zscaler reported the UC Browser’s policy violation issues to Google on August 13 following which the IT giant reached out to UCWeb. Google asked the UCWeb to ‘update the apps and remediate the policy violation.’
Comments
Post a Comment