Apple removed today a very popular anti-malware app called Adware Doctor from the Mac App Store because it was gathering browsing history and other sensitive information without a user's permission and then uploading it to someone in China.
Adware Doctor is promoted as an anti-malware and adware protection program that claims to be able to protect your Mac from malicious files and browser from adware. This program was the #1 paid utility in the Mac App Store with a 4.8 star rating and over 7,000 reviews.
Save this as autorun.inf. The icon line is optional. You can change the icon to your tastes or leave it to the default icon. It’s useful for social engineering purposes like enticing the user to click a file on the drive by making it looks like a game or something. Stop your Mac getting bogged down with useless files and memory hogging applications. We show you the best cleanup utility apps for macOS Keeping your Mac in top shape can be hard over time, as.
Using a Downloaded HTML File to Steal Files From a Mac. Anton Lopanitsyn (via Felix Schwarz)..DS_Store hadn't had the invisible flag set, it was just invisible because Mac OS X (stupidly) hides files whose names start with a dot, and existing Mac apps didn't know about it. This meant that a lot of applications treated it like a normal file.
While it may have had the ability to remove infections on your Mac, it was also discovered to be quietly uploading a user's personal data without their permission to a remote site.
This behavior was first discovered by a security researcher named Privacy 1st who noticed that Adware Doctor would gather a user's browsing history from the Chrome, Safari, and the Firefox browsers, a list of running processes, and App Store search history.
This information is then stored in a password protected zip file called history.zip. After the history zip was created, it would be uploaded to a remote server.
To illustrate this behavior, Privacy_1st created a video that illustrates what happens when the program is executed.
![Mac Mac](/uploads/1/2/6/6/126646297/908189050.jpg)
After discovering that this program was performing data exfiltration, or the act of secretly uploading data to a remote server, the researcher contacted Patrick Wardle of Objective-see to collaborate with him on the analysis of this program.
In a blog post released today, Patrick corroborates Private_1st's findings and provides a detailed analysis of how the program would secretly gather a user's browsing habits and application details and then upload it to a remote host.
Data uploaded to server in China
When Adware Doctor uploaded a user's data, it would send the history.zip file to a remote host named adscan.yelabapp.com. While this domain is hosted on Amazon AWS servers, its DNS records clearly show that it is administered by someone from China.
It is not known what a user's browsing habits and search history is being used for, but it is obviously concerning that a program is collecting this information without a user's knowledge and sending it to an unknown organization in another country.
Adware Doctor has a dubious history
It turns out that Adware Doctor has a dubious history and that Thomas Reed, the developer of Malwarebytes for Mac, has also been keeping an eye on this program since 2015.
'The developer of this app is one that we at Malwarebytes have had our eye on since 2015,' Reed stated in a Malwarebytes blog post. 'At that time, we discovered an app on the App Store named Adware Medic—a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac. We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor.'
In addition to Adware Doctor, Reed has seen this type of data exfiltration in other products as well. For example, Reed stated that similar behavior was historically detected in programs called 'Open Any Files: RAR Support', 'Dr. Antivirus', and 'Dr. Cleaner'.
According to Reed when he contacted Apple regarding the Open Any Files software, nothing was done.
Program Files For Mac
'We reported this app to Apple in December 2017. It is still present on the App Store.' Reed stated.
Apple too slow to remove reported apps?
While Apple has definitely done a good job at keeping malicious applications out of their store, you have to wonder why reports from known researchers and companies are being ignored. As Wardle states in his blog, even though anyone can make a mistake, the researchers had contacted Apple about this application over a month ago, and in Reed's case much longer, and the apps continued to remain in the Mac Store.
Mac Open File Program
'If Apple is really 'review[ing] each app before it's accepted by the store' ... how were these grave (and obvious) violations of this application missed!?,' Wardle states in his blog post. 'Who knows, and maybe this one just slipped though. Maybe we should give them the benefit of the doubt, as yes we all make mistakes!But this bring us to the next point. Apple also claims that 'if there's ever a problem with an app, Apple can quickly remove it from the store'. Maybe the key word here is 'can'.'
From the finding from these three researchers, all from different organizations, it is clear that Apple needs to do a better job acting upon the free research provided by security professionals who are trying to protect consumers.