Multiple apps developed by Trend Micro are no longer available in the Mac App Store after researchers showed they were collecting browser history and information about users' computers.
On Friday, Apple removed Adware Doctor, a top security app, from its store, on the exact same grounds.
The apps are Dr. Antivirus, Dr. Cleaner, and Dr. Unarchiver, all under the developer account Trend Micro, Incorporated. Until removal, all products were top-sellers, with thousands of positive reviews that averaged their ratings between 4.6 and 4.9.
The first public report of a Trend Micro product in the App Store engaging in shady activities came in late 2017 when user PeterNopSled told Malwarebytes forum members that "that his Mac was taken over by Open Any Files: RAR Support," and it did not let him open Word or Excel files.
He discovered that the app was promoting the Trend Micro Antivirus product in the store, with no apparent connection.
Thomas Reed, the developer of Malwarebytes for Mac, chimed in on the thread confirming the unethical behavior and the connection between the two apps.
"Dr. Antivirus does appear to be legitimately associated with Trend Micro, on initial investigation, and the Open Any Files app uses an affiliate code to link to the Dr. Antivirus page on the App Store. Dr. Antivirus appears to be junk - I threw 23 components of malware from this year at it, and it only detected 5 of them," Reed posted.
On Saturday, security researcher Privacy_1st published a video showing that Dr. Cleaner and Dr. Antivirus collected browser history from Safari, Chrome, and Firefox, along with some system information.
iOS developer and 9to5Mac writer Guilherme Rambo found that Trend Micro's Dr. Unarchiver was also siphoning user data.
Privacy_1st looked into the three apps from Trend Micro and saw that they had hardcoded strings for exfiltrating user information.
They collected browser history and data from the device that could be used for identification. The researcher says that the serial number and the version of the operating system were among the exfiltrated details.
The final destination for the information was the trendmicro.com domain, the researcher told us, the same as the Open Any Files app.
Observing the behavior of the apps, the researcher noticed that they received at runtime a JSON file with different codes, which suggests that the apps retrieve commands from the mother ship for data exfiltration.
It is important to note that the three apps analyzed by Privacy_1st did not exhibit data exfiltration behavior every time they launched. Also, the researcher did not have a chance to look closer into this, but from his experience with analyzing APT malware, this looks like a valid theory.
The method used by Dr. Antivirus, Dr. Cleaner, and Dr. Unarchiver to upload user data to an external server is not singular, Privacy_1 points out.
Adware Doctor and Komros Adware Cleaner (same developer behind them), Open Any Files and Adblock Master relied on the same technique to lift the information from users.
Another thing these apps have in common is a connection with Trend Micro and a Chinese developer.
The apps have been reported to Apple since at mid-August and are currently removed from the Mac App Store.
Also removed is App Uninstall (spotted by security researcher Joshua Long), another product under Trend Micro's developer account.
Trend Micro's list of apps in the App Store at the time of publishing is reduced to two entries: Network Scanner (five ratings) and Dr. WiFi (not rated yet).
We reached out to Trend Micro for a statement on the matter but received no reply at the time of publishing.
Update [September 10, 19:13]: Trend Micro released less than an hour ago a statement denying that its apps were stealing user data. The company says that an initial investigation confirms that Dr Cleaner, Dr Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder collected browser snapshots, but the behavior was disclosed in the EULAs of each product.
"This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service)," Trend Micro explains, adding that the data was uploaded to a server in the US on Amazon Web Services, not in China.
Trend Micro is yet to explain the connection with shady apps from other developers and why the its products were removed from the App Store. A representative of the company told BleepingComputer that the company statement would be updated continuously.