With privacy all but nonexistent now thanks to web advertising and monetized tracking, there’s a definite niche for browsers and other tools that specialize in keeping you safe and anonymous online. Brave, DuckDuckGo, Mullvad, and Tor are all great examples. But one “privacy browser” is allegedly made by cyber criminals specifically to harvest data—and it has millions of downloads.
According to a security report from Infoblox, in cooperation with the United Nations Office on Drugs and Crime, the China-focused Universe Browser is advertised as a safe and private way to bypass censorship and web blocks. It has a specific use case for would-be online gamblers. But just underneath its surface, the browser is recording the user’s location, routing all traffic data through servers in China, installing keyloggers, and changing network settings.
“These features are consistent with remote access trojans (RATs) and other malware increasingly being distributed through Chinese online gambling platforms,” says Infoblox. While the report stops short of accusing the developers of the browser of being straight-up criminals, it’s hard to imagine any software doing all that nasty stuff for benevolent purposes. The data collected would be easy to leverage into tracking wealthy gamblers and targeting them for Trojan deliveries, identity theft, or blackmail attacks… just as examples.
The Chrome-derived Universe Browser has been promoted as a way to access gambling sites to customers of the Baoying Group, closely associated with Triad criminal actors (labelled “Vault Viper” by researchers) that profit from illegal online gambling, cybercrime, money laundering, and human trafficking. Once installed, the program attempts to evade antivirus detection, injects code, and monitors system information like the contents of a user’s clipboard.
After a few checks to make sure it’s properly evading security, the Windows version can even replace your original Chrome executable file. Once it’s well and truly embedded in both the system and the user’s habits, things start to get really interesting. The browser’s base function has almost all user-accessible settings disabled, and it includes an extension that can take screenshots of web browsing and upload them to a remote server. The browser appears to be sending encrypted data to specific servers associated with Vault Viper.
Universe Browser seems to be custom-made for the Baoying Group and its associates, and it’s only advertised on their sites, mostly targeting gamblers in China and Taiwan where online gambling is illegal. It’s available on the iOS App Store and as a sideloaded Android app, but according to Wired, it’s not known whether these mobile versions are as dangerous as the Windows version. I’d avoid all of them if I were you.
