A popular top-tier app in Apple’s Mac App Store was found pilfering browser histories from anyone who downloads it.
Yet still, at the time of writing, the rogue app — Adware Doctor — stands as the No.1 grossing paid app in the app store’s utilities categories. But Apple was warned weeks ago and did nothing to pull the app offline.
Now it seems Apple has pulled the app. Apple would not comment on the record.
Apple’s walled garden approach to Mac and iPhone security is almost entirely based on the inability to install apps outside the app store, which Apple monitors closely. While it’s not uncommon to hear of dangerous apps slipping into Google’s Play store, it’s nearly unheard of for Apple to face the same fate. Any app that doesn’t meet the company’s strict security and sometimes moral criteria will be rejected, and users won’t able to install it.
This app promises to “keep your Mac safe” and “get rid of annoying pop-up ads” — and even “discover and remove threats on your Mac.” But what the app won’t tell you is that for just a few bucks it’ll steal and download your browser history — including all the sites you’ve searched for or accessed — to servers in China run by the app’s makers.
Thanks in part to a video posted last month on YouTube and with help from security firm Malwarebytes, it’s now clear what the app is up to.
Security researcher Patrick Wardle, a former NSA hacker and now chief research officer at cybersecurity startup Digita Security, dug in and shared his findings with TechCrunch.
Wardle found that the downloaded app jumped through hoops to bypass Apple’s Mac sandboxing features, which prevents apps from grabbing data on the hard drive, and upload a user’s browser history on Chrome, Firefox and Safari browsers.
Wardle found that the app, thanks to Apple’s own flawed vetting, could request access to the user’s home directory and its files. That isn’t out of the ordinary, Wardle says, because tools that market themselves as anti-malware or anti-adware expect access to the user’s files to scan for problems. When a user allows that access, the app can detect and clean adware — but if found to be malicious, it can “collect and exfiltrate any user file,” said Wardle.
Once the data is collected, it’s zipped into an archive file and sent to a domain based in China.
Signal for Mac users should disable notifications to keep their messages secure
Wardle said that for some reason in the last few days the China-based domain went offline. At the time of writing, TechCrunch confirmed that the domain wouldn’t resolve — in other words, it was still down.
“Let’s face it, your browsing history provides a glimpse into almost every aspect of your life,” said Wardle’s post. “And people have even been convicted based largely on their internet searches!”
He said that the app’s access to such data “is clearly based on deceiving the user.”
Apple was contacted weeks ago. The email it responded with, in not so many words, said “we can’t tell you anything,” but forwarded the feedback.
A meagre $4.99 for the app may not seem much to the average user, but it’s a heavy price to pay for having the app steal your browser history — which users will never get back. And given that Apple makes a 30 percent cut of every purchase of this popular app, there isn’t much financial incentive to withdraw the app from the store.
Updated at 9:05am PT: with confirmation that the app has been pulled.
Comment