Trend Micro Apps removed from Mac App Store after being caught exfiltrating user data

Pierluigi Paganini September 11, 2018

Several anti-malware apps developed by Trend Micro have been removed from the Mac App Store because they were harvesting users’ browser history and other info.

Several anti-malware apps developed by Trend Micro, including Dr Cleaner, Dr. Unarchiver, Dr Antivirus, and App Uninstall, have been removed from the Mac App Store after researchers discovered they were harvesting users’ browser history and other information.

At the time of writing, it is not clear if Trend Micro removed the apps itself following complaints or if Apple removed them due to their activities.

The security researcher that handle the Twitter account Privacy First first reported the alleged unethical behavior and published a video that shows how the app harvest users ‘data.

Former NSA white hat hacker Patrick Wardle reported last week that Trend Micro apps were also collecting users’ personal data including their browsing history and then uploaded that data in a password-protected archive to a server.

“Moreover, the network proxy monitor (Charles Proxy) captures a connection attempt from Adware Doctor to adscan.yelabapp.com:” “By editing the system’s /etc/hosts file we can redirect this request to a server we control and can capture what Adware Doctor is trying to upload. And what do you think that might be? If you guessed the history.zip file you would be correct!” wrote Wardle.

“The uploaded ‘history.zip’ archive is password protected:”

Wardle highlighted that the applications he analyzed were signed off by Trend Micro and approved by Apple.

“The other benefit is that Apple supposedly vets all submitted applications – but as we’ve clearly shown here, they (sometimes?) do a miserable job.)”

Trend Micro has admitted that browser histories were collected as part of the code’s installation. In a statement today, the biz said:

Dr Cleaner, Dr Cleaner Pro, Dr Antivirus, Dr Unarchiver, Dr Battery, and Duplicate Finder collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation. This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service).” reads the official reply published by the company.

“The data collected was explicitly identified to the customer in the data collection policy and is highlighted to the user during the install. The browser history data was uploaded to a US-based server hosted by AWS and managed/controlled by Trend Micro.” 

Trend announced it is removing the suspicious feature from its application.

Just yesterday I reported the news of a group of security researchers behind the Guardian mobile firewall app that revealed that a growing number of iOS apps currently collect location data, WiFi network IDs and other data, from iPhone users and sell them to advertising companies.

Let me immediately highlight that these iOS apps collect data by asking users for permission to do it, but lack to inform users that gathered information are shared with third-party advertising and marketing companies.

The experts have observed that all these apps have embedded tracking codes provided by advertising and marketing firms.

“The GuardianApp team has discovered that a growing number of iOS apps have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms. In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information.” states the Guardian app research team.

“In order to gain initial access to precise data from the mobile device’s GPS sensors, the apps usually present a plausible justification relevant to the app in the Location Services permission dialog, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation.”
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Trend Micro, China)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment