This “Privacy Browser” has dangerous hidden features

Universe Browser makes big promises to its potential users. Its online advertising claims that it’s the “fastest browser,” that people who use it “prevent privacy leaks,” and that the software helps “keep you out of harm’s way.” However, all is likely not as it seems.

The browser, which is linked to Chinese online gambling websites and is believed to have been downloaded millions of times, actually routes all Internet traffic through servers in China and “secretly installs several programs that run silently in the background,” according to new findings by network security firm Infoblox. The researchers say the “stealth” elements include malware-like features, including “key reporting, stealth connections” and changing the device’s network connections.

Perhaps most importantly, Infoblox researchers, working with the United Nations Office on Drugs and Crime (UNODC), found links between browser performance and Southeast Asia’s vast, multibillion-dollar cybercrime ecosystem, which is linked to money laundering, human trafficking, and gambling. According to researchers, the browser itself is directly linked to a network around online gambling giant BBIN, which researchers have dubbed a threat group called Vault Viper.

Researchers say the discovery of the browser — plus its suspicious and risky behavior — shows that criminals in the region are becoming increasingly sophisticated. “These criminal groups, especially Chinese organized crime syndicates, are increasingly diversifying into cyber fraud, butchery, impersonation, fraud, this whole ecosystem,” said John Wojcik, senior threat researcher at Infoblox, who was once on the UNODC staff.

“They will continue to double down, reinvest profits, develop new capabilities,” Wojcik says. “The threat is ultimately becoming more serious and worrisome, and that’s an example of where we’re seeing that.”

under the hood

The global browser was first spotted — and named — by Infoblox and UNODC earlier this year when they began unwrapping the digital systems around a Cambodia-based online casino operation that had previously been raided by law enforcement officials. Infoblox, which specializes in Domain Name System (DNS) management and security, identified a unique DNS fingerprint from systems linked to Vault Viper, allowing researchers to trace and map websites and infrastructure associated with the group.

In a report shared with WIRED, Infoblox researchers say tens of thousands of web domains, plus various command and control infrastructures and registered companies, are linked to Vault Viper’s activity. They also say they reviewed hundreds of pages of corporate documents, legal records and court filings with links to BBIN or other subsidiaries. They encountered the world browser online time and time again.

Maël Le Touz, threat researcher at Infoblox, said: “We have not seen Global Browser being promoted outside of the domains that Vault Viper controls. The Infoblox report said the browser was “specifically” designed to help people in Asia – where online gambling is largely illegal – bypass the restrictions. “It seems like every casino website they operate has links and ads to it,” says Le Toz.