This « privacy browser » has dangerous hidden features

Universe Browser makes some big promises to its potential users. Its online ads claim it’s the « fastest browser, » that people who use it « will avoid privacy leaks, » and that the software will help « keep you out of harm’s way. » However, all is probably not as it seems.

The browser, which is linked to Chinese online gambling websites and is believed to have been downloaded millions of times, actually routes all Internet traffic through servers in China and « secretly installs several programs that run silently in the background, » according to new findings by network security firm Infoblox. Researchers say the « hidden » items include malware-like features – including « key logging, hidden connections » and changing the device’s network connections.

Perhaps most importantly, Infoblox researchers, who collaborated with the United Nations Office on Drugs and Crime (UNODC) on the work, found links between the browser’s performance and the sprawling multibillion-dollar cybercrime ecosystem in Southeast Asia, which has links to money laundering, illegal online gambling, human trafficking and fraudulent operations that use forced labor. The browser itself, the researchers say, is directly connected to a network around a major online gambling company BBIN, which the researchers have named a threat group they call Vault Viper.

Researchers say the discovery of the browser – plus its suspicious and risky behavior – shows that criminals in the region are becoming more sophisticated. « These criminal groups, especially Chinese organized crime syndicates, are increasingly diversifying and developing into cyber fraud, pig slaughter, impersonation, fraud, that whole ecosystem, » said John Wojcik, senior threat researcher at Infoblox, who also worked on the project when he was a staff member at UNODC.

« They will continue to double down, reinvest profits, develop new capabilities, » Wojcik says. « The threat is ultimately becoming more serious and more of a concern, and this is one example of where we’re seeing that. »

Under the hood

Universe Browser was first spotted – and mentioned by name – by Infoblox and UNODC earlier this year when they began unpacking the digital systems surrounding a Cambodia-based online casino operation that had previously come under attack by law enforcement officials. Infoblox, which specializes in Domain Name System (DNS) management and security, found a unique DNS fingerprint from these systems, which they linked to Vault Viper, making it possible for researchers to track and map websites and infrastructure associated with the group.

Tens of thousands of web domains, plus various command-and-control infrastructures and registered companies, are linked to Vault Viper’s activity, Infoblox researchers said in a report shared with WIRED. They also say they have reviewed hundreds of pages of corporate documents, legal records and court documents with links to BBIN or other subsidiaries. Again and again they came across the universe browser online.

« We have not seen Universe Browser advertise outside of the domains that Vault Viper controls, » said Maël Le Touz, threat researcher at Infoblox. The Infoblox report said the browser was « specifically » designed to help people in Asia, where online gambling is largely illegal, get around restrictions. « Every one of the casino websites they run seems to have a link and an ad to it, » says Le Touz.