To download new plug-ins, the browser sends a request to the command and control server and receives a link to file in response. Since the program communicates with the server over an unsecured channel (the HTTP protocol instead of the encrypted HTTPS), cybercriminals can hook the requests from the application. They can replace the commands with ones containing different addresses. This makes the browser download new modules from malicious server instead of its own command and control server. Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification.You can see an example of such an attack at work in the video below. https://youtu.be/Nfns7uH03J8 In its analysis, the Russian anti-malware company found that UC Browser Mini can mimic its big brother by downloading untested components and bypassing Goggle's servers. This ability threatens 100 million Google Play users with the risk of a malware infection. It does not, however, enable criminals to conduct a MitM attack as with UC Browser. Following its discovery, Doctor Web reached out to the developer of UC Browser and UC Browser Mini. When the developer refused to comment, it contacted Google about the apps' concerning behavior. The security firm is still waiting on a response. Both programs are still available for download from Google's Play Store at the time of this writing.