Mac app Adware Doctor caught stealing users' browsing histories
A highly popular anti-adware tool in the Mac App Store "surreptitiously steals your browsing history", alleges a security researcher. "All your data are belong to China!", as he puts it.
Patrick Wardle conducted research into Adware Doctor -- one of the most popular paid-for apps in the App Store -- after concerns were raised by another security researcher. His research "uncovered blatant violations of user privacy and complete disregard of Apple's App Store Guidelines", including the theft and sharing of browsing history with a Chinese server.
See also:
- Mozilla to boost Firefox privacy by automatically blocking all tracking
- Developers must give their apps a privacy policy or Apple will kick them out of the App Store
- Privacy: Yahoo still scans your emails... and wants to sell data to advertisers
While this is concerning, what is particularly alarming is that Apple has known about this for at least a couple of weeks -- and has done nothing about it. While Wardle has only just published details of his fairly extensive investigation, his research was sparked by a security researcher going by the name Privacy 1st on Twitter. This researcher tweeted on August 20:
Top Sold MacOS AppStore application is ROGUE. Adware Doctor is stealing your privacy. PoC: https://t.co/LmveX593q0#malware #virus #MacOS #Apple #MacBook #MacBookPro #CyberSecurity #privacy #GDPR #Hacking #hackers #cyberpunk #Alert
— Privacy 1st (@privacyis1st) August 20, 2018
Wardle went ahead and bought Adware Doctor before analyzing the app and its activities.
At first it seemed as though there was little out of the ordinary, but then Wardle noticed that the software had created a password-protected archive called history.zip and was trying to upload it. Cracking the password was simple enough, and extracting the contents of the archive showed that it did indeed contain Wardle's browsing history.
It appears that Adware Doctor is able to break out of the Mac App Sandbox and extract browsing history from web browser. Wardle says:
Now, an anti-malware or anti-adware tool is going to need legitimate access to user's files and directories -- for example to scan them for malicious code. However, once the user has clicked Allow since Adware Doctor requested permission to the user's home directory, it will have carte blanche access to all the user's files. So yes will be able to detect and clean adware, but also collect and exfiltrate any user file, it so chooses!
Adware Doctor contains several methods for collecting a variety of information about the system and user. While some (such as a process list), perhaps have a legitimate reason for being collected by an anti-malware or anti-adware product, others such as the user's browsing history seem to be a blatant violation of the user's privacy (and of course Apple strict Mac App Store rules).
Apple has been notified about Adware Doctor's activities but has done nothing. The app remains available for purchase, putting unknowing users at risk.