Apple has removed one of the most popular anti-malware app called Adware Doctor:Anti Malware &Ad from the official macOS App Store because it was gathering users’ browser histories and other sensitive data and then upload them to a remote server in China.
Adware Doctor the top paid utility in the official Mac App Store, it has a good reputation with thousands of reviews and a 4.8 star rating.
Ironically an application developed to protect Mac systems was exposing user personal data without his permission.
The unwanted behavior was spotted by a security researcher that goes online with Twitter account Privacy 1st, he discovered that Adware Doctor would gather browsing history from the Safari, Chrome, and the Firefox browsers, the search history on the App Store, and a list of running processes.
Top Sold MacOS AppStore application is ROGUE. Adware Doctor is stealing your privacy. PoC: https://t.co/LmveX593q0#malware #virus #MacOS #Apple #MacBook #MacBookPro #CyberSecurity #privacy #GDPR #Hacking #hackers #cyberpunk #Alert
— Privacy 1st (@privacyis1st) August 20, 2018
The expert discovered also that the gathered info was first stored in a password protected zip file named “history.zip”, then it would be uploaded to a remote server.
Privacy 1st shared his discovery with the former NSA white hat hacker Patrick Wardle that after conducting a personal review confirmed the findings of the researcher.
Below a video created by Privacy_1st to show his findings.
Patrick Wardle by redirecting DNS resolution was able to capture the exfiltrated data:
The history.zip file is exfiltrated to a remote to dscan.yelabapp.com that is hosted on Amazon AWS servers, but the analysis of the DNS entries confirms that it is administered by an entity in China.
The app was developed by an individual identified as “Yongming Zhang.” Wardle speculated that this may be a reference to “Zhang Yongming,” a Chinese serial killer.
Thomas Reed, director of Mac and mobile security at Malwarebytes, his firm is monitoring the activity of this developer since 2015.
“At that time, we discovered an app on the App Store named Adware Medic – a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac,” Reed wrote.
“We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor.”
Reed confirmed that similar data exfiltration methodology was observed in other products as well (i.e. “Open Any Files: RAR Support”, “Dr. Antivirus”, and ‘Dr. Cleaner”).
Unfortunately, Apple is allowing such kind of dubious behavior and is allowing similar app names that could generate confusion in the users.
“If Apple is really “review[ing] each app before it’s accepted by the store” … how were these grave (and obvious) violations of this application missed!?,” Wardle states in his blog post. “Who knows, and maybe this one just slipped though. Maybe we should give them the benefit of the doubt, as yes we all make mistakes!But this bring us to the next point. Apple also claims that “if there’s ever a problem with an app, Apple can quickly remove it from the store”. Maybe the key word here is “can”.”
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.