The latest versions of
UC Browser and
UC Browser Mini Android apps with a total of over 600 million installs expose their users to URL spoofing attacks as explained by
security researcher Arif Khan who found the flaw and reported it to the apps' security team.
URL spoofing attacks are based on the attackers' capability to change the URL displayed in the address bar of a web browser to trick their targets into thinking that the loaded website is controlled by a trusted party. However, as is the case with the address bar spoofing vulnerability discovered by Khan in the UC Browser apps for Android, the site is actually controlled by the malicious actors behind the attack.
Redirecting unaware targets to domains they control and camouflaging them as high-profile websites allows potential attackers to steal their victims' information using phishing landing pages or to drop malware on their computers via malvertising campaigns.
The URL spoofing issue
"URL Address Bar spoofing is the worst kind of phishing attack possible. Because it's the only way to identify the site which the user is visiting," said Khan.
... ...
...