Apple removed today a very popular anti-malware app called Adware Doctor from the Mac App Store because it was gathering browsing history and other sensitive information without a user's permission and then uploading it to someone in China.
Adware Doctor is promoted as an anti-malware and adware protection program that claims to be able to protect your Mac from malicious files and browser from adware. This program was the #1 paid utility in the Mac App Store with a 4.8 star rating and over 7,000 reviews.
While it may have had the ability to remove infections on your Mac, it was also discovered to be quietly uploading a user's personal data without their permission to a remote site.
This behavior was first discovered by a security researcher named Privacy 1st who noticed that Adware Doctor would gather a user's browsing history from the Chrome, Safari, and the Firefox browsers, a list of running processes, and App Store search history.
This information is then stored in a password protected zip file called history.zip. After the history zip was created, it would be uploaded to a remote server.
To illustrate this behavior, Privacy_1st created a video that illustrates what happens when the program is executed.
After discovering that this program was performing data exfiltration, or the act of secretly uploading data to a remote server, the researcher contacted Patrick Wardle of Objective-see to collaborate with him on the analysis of this program.
In a blog post released today, Patrick corroborates Private_1st's findings and provides a detailed analysis of how the program would secretly gather a user's browsing habits and application details and then upload it to a remote host.
When Adware Doctor uploaded a user's data, it would send the history.zip file to a remote host named adscan.yelabapp.com. While this domain is hosted on Amazon AWS servers, its DNS records clearly show that it is administered by someone from China.
It is not known what a user's browsing habits and search history is being used for, but it is obviously concerning that a program is collecting this information without a user's knowledge and sending it to an unknown organization in another country.
It turns out that Adware Doctor has a dubious history and that Thomas Reed, the developer of Malwarebytes for Mac, has also been keeping an eye on this program since 2015.
"The developer of this app is one that we at Malwarebytes have had our eye on since 2015," Reed stated in a Malwarebytes blog post. "At that time, we discovered an app on the App Store named Adware Medic—a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac. We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor."
In addition to Adware Doctor, Reed has seen this type of data exfiltration in other products as well. For example, Reed stated that similar behavior was historically detected in programs called "Open Any Files: RAR Support", "Dr. Antivirus", and 'Dr. Cleaner".
According to Reed when he contacted Apple regarding the Open Any Files software, nothing was done.
"We reported this app to Apple in December 2017. It is still present on the App Store." Reed stated.
While Apple has definitely done a good job at keeping malicious applications out of their store, you have to wonder why reports from known researchers and companies are being ignored. As Wardle states in his blog, even though anyone can make a mistake, the researchers had contacted Apple about this application over a month ago, and in Reed's case much longer, and the apps continued to remain in the Mac Store.
"If Apple is really "review[ing] each app before it's accepted by the store" ... how were these grave (and obvious) violations of this application missed!?," Wardle states in his blog post. "Who knows, and maybe this one just slipped though. Maybe we should give them the benefit of the doubt, as yes we all make mistakes!But this bring us to the next point. Apple also claims that "if there's ever a problem with an app, Apple can quickly remove it from the store". Maybe the key word here is "can"."
From the finding from these three researchers, all from different organizations, it is clear that Apple needs to do a better job acting upon the free research provided by security professionals who are trying to protect consumers.