Apple has removed “Adware Doctor” from the macOS App Store amid claims that the program was uploading browser histories to China.
Adware Doctor, which sold for $4.99 and was listed last week among the highest grossing apps in the “Paid Utilities” category of the macOS App Store, promised it would “keep your Mac safe”, “get rid of annoying pop-up ads” and “discover and remove threats on your Mac.”
What users did not know, however, was that the app had skirted around macOS’s sandboxing features and was silently exfiltrating data to servers based in China, therebyviolating the App Store’s “Data Collection and Storage” guidelines.
The data exfiltrated from users’ computers included:
- Chrome browser history
- Firefox browser history
- Safari browser history
- A list of running processes
- A list of software that you have downloaded
Not only could an unauthorized party now keep track of which websites you had visited in the past and what you had been reading; they also knew what programs you had running on your Mac computer.
Adware Doctor’s suspicious behavior was uncovered after an investigation conducted by security researchers @privacyis1st (who made a video demonstrating the app’s behind-the-scenes behaviour) and Patrick Wardle.
Monitoring network activity, the researchers were able to show that the app created a file called “history.zip” and sent it to a server based in China. And to make matters even worse, the history.zip file was ‘protected’ with the trivial password “webtool” (hardcoded in plaintext).
Privacy 1st claims that he privately informed Apple of the problem concerning Adware Doctor and two other apps on August 12th, but it appears that no action was taken until he and Wardle published their findings on Friday last week.
Since the discovery was made public, it has come to light that there are a number of other apps in the Mac App store exhibiting similar behavior – including “Dr. Unarchiver”, which as of 9 September was rated the twelfth most popular free app in the U.S. Mac App Store.
Alarmingly, some users have been claiming as far back as last year that programs in the Mac App Store were behaving suspiciously, meaning they may have been stealing information from users’ computers for a period of nine months or longer.
For instance, a user named “PeterNopSled” posted on the MalwareBytes forum in December 2017 how he had discovered that “Dr. AntiVirus” was “hijacking your browsing history and upload[ing] it to their servers into a zip archive with the password ‘novirus.'”
Despite this, the apps are only now being kicked out of the Mac App Store for violating Apple’s developer guidelines.
Apple’s rules are clear:
- Apps that collect user or usage data must secure user consent for the collection.
- Apps must respect the user’s permission settings and not attempt to… trick, or force people to consent to unnecessary data access.
- Developers that use their apps to surreptitiously discover …private data, will be removed from the Developer Program.
Wardle and Privacy 1st make the point that as Adware Doctor simply never asks for permission to exfiltrate the user’s sensitive browser history, it was clearly in breach of Apple’s rules.
So what can Mac users learn from this and similar threats?
Clearly, it’s important to recognize that just because an app is being distributed via the “walled garden” of Mac’s App Store doesn’t necessarily mean it’s been thoroughly vetted for privacy violations. Mac users should take just as much care as their PC and Android-running cousins when it comes to choosing what software to install on their computers.
Furthermore, just because an app is popular does not necessarily mean that it is trustworthy. Unfortunately, suspicious apps can sometimes appear high in the charts – sometimes boosted because their position may have been “pumped up” by a large number of fake reviews.
If you grant an app access to your data, you simply cannot predict what it is going to do with it. Worse still, some apps (like Adware Doctor) may slip around macOS’s built-in security to gain access to your sensitive data even if you haven’t given them permission.
Finally, this might be an encouragement for users to update their Mac computers to Mojave, the next version of the Apple’s macOS operating system, when it becomes available later this year. Mojave is said to offer users better control of their data, requiring apps to get their explicit approval before trawling their way through sensitive data such as their browser history.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.