Apple has removed one of the most popular anti-malware app called Adware Doctor:Anti Malware &Ad from the official macOS App Store because it was gathering users’ browser histories and other sensitive data and then upload them to a remote server in China.
Adware Doctor the top paid utility in the official Mac App Store, it has a good reputation with thousands of reviews and a 4.8 star rating.
Ironically an application developed to protect Mac systems was exposing user personal data without his permission.
The unwanted behavior was spotted by a security researcher that goes online with Twitter account Privacy 1st, he discovered that Adware Doctor would gather browsing history from the Safari, Chrome, and the Firefox browsers, the search history on the App Store, and a list of running processes.
Top Sold MacOS AppStore application is ROGUE. Adware Doctor is stealing your privacy. PoC: https://t.co/LmveX593q0#malware #virus #MacOS #Apple #MacBook #MacBookPro #CyberSecurity #privacy #GDPR #Hacking #hackers #cyberpunk #Alert
— Privacy 1st (@privacyis1st) August 20, 2018
The expert discovered also that the gathered info was first stored in a password protected zip file named “history.zip”, then it would be uploaded to a remote server.
Privacy 1st shared his discovery with the former NSA white hat hacker Patrick Wardle that after conducting a personal review confirmed the findings of the researcher.
Below a video created by Privacy_1st to show his findings.
Patrick Wardle by redirecting DNS resolution was able to capture the exfiltrated data:
The history.zip file is exfiltrated to a remote to dscan.yelabapp.com that is hosted on Amazon AWS servers, but the analysis of the DNS entries confirms that it is administered by an entity in China.
The app was developed by an individual identified as “Yongming Zhang.” Wardle speculated that this may be a reference to “Zhang Yongming,” a Chinese serial killer.
Thomas Reed, director of Mac and mobile security at Malwarebytes, his firm is monitoring the activity of this developer since 2015.
“At that time, we discovered an app on the App Store named Adware Medic – a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac,” Reed wrote.
“We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor.”
Reed confirmed that similar data exfiltration methodology was observed in other products as well (i.e. “Open Any Files: RAR Support”, “Dr. Antivirus”, and ‘Dr. Cleaner”).
Unfortunately, Apple is allowing such kind of dubious behavior and is allowing similar app names that could generate confusion in the users.
“If Apple is really “review[ing] each app before it’s accepted by the store” … how were these grave (and obvious) violations of this application missed!?,” Wardle states in his blog post. “Who knows, and maybe this one just slipped though. Maybe we should give them the benefit of the doubt, as yes we all make mistakes!But this bring us to the next point. Apple also claims that “if there’s ever a problem with an app, Apple can quickly remove it from the store”. Maybe the key word here is “can”.”