[Updated x2] BREAKING: No. 1 paid utility on Mac App Store steals users' browsing history & sends it to China
The number one paid utility in the Mac App Store is stealing user browser history.
[Update 2]: Additional apps have been caught stealing data.
[Update 1]: Apple has now pulled the malware from the App Store.
Security researcher Patrick Wardle has reported Adware Doctor, which is a paid application from the App Store on macOS, to Apple a month ago, but the malware hasn't been removed from the store as of yet.
The notes in the App Store say the following: (please note, information is FALSE and the app is disguised)
The app is currently listed on Apple’s Mac App Store as the company’s fourth-highest “Top Paid” software programs, behind Final Cut Pro, Magnet and Logic Pro X. It is also the store’s No. 1 paid utility. The app currently costs $4.99, is validly signed by Apple, and its listing on the Mac App Store is accompanied a majority of lavishly positive [likely fake] five-star reviews. Adware Doctor promotes its app as preventing “malware and malicious files from infecting your Mac.”
He looked into what the app was doing, after being alerted by Privacy 1st. The app would create a protected archive called history.zip. It would then upload that archive file to the server, which is based in China. The file could be opened by Wardle, and he saw that it contained browser history from Chrome, Firefox, and even Safari.
The researcher also notes that sandboxing in macOS should be preventing Mac apps from getting access to data from other apps, however, Adware Doctor requested access when first run. He also found the application could access running processes, something that should be prevented.
By using Apple's own code, the app bypasses the protection:
It’s (likely) just a copy and paste of Apple’s GetBSDProcessList code (found in Technical Q&A QA1123 “Getting List of All Processes on Mac OS X”). Apparently this is how one can get a process listing from within the application sandbox! I’m guessing this method is unsanctioned (as it clearly goes against the design goals of sandbox isolation). And yes, rather amusing the code Adware Doctor uses to skirt the sandbox, is directly from Apple!
Logs that you've downloaded, the app also accesses. At the time of writing this article, the server that collects this data is offline - the reason why is unknown.
If you have downloaded Adware Doctor, it is strongly recommended that you uninstall it from your Mac. Open Finder, click Applications, then delete the app. You may need an admin password to proceed.
From September 26 to September 28, you can expect less to no posts on Instagram. To stay up to date with the latest news, we recommend checking our website frequently. We apologize for the inconvenience.