The app's misbehavior was first noted by a security researcher who goes by name Privacyis1st on Twitter and claims to have alerted Apple to the weirdness in early August. What's more, this appears not to be an isolated incident: Malwarebytes on Friday noted that several different macOS App Store apps have been spotted siphoning off folks' data.
Another security researcher, Patrick Wardle, working in conjunction with Privacyis1st, published an analysis of Adware Doctor on Friday, which appears to have encouraged Apple to take action.
As Wardle – an expert in Apple security – noted, Adware Doctor, which sold for $4.99, was the fourth-highest grossing app in the "Paid Utilities" category of the macOS App Store.
The developer was identified as "Yongming Zhang." Wardle suggested this may be a reference to "Zhang Yongming," a Chinese serial killer. It's not certain the programmer is Chinese or is based there, but it appears the exfiltrated data was being sent to servers in China.
According to Thomas Reed, director of Mac and mobile security at Malwarebytes, the antivirus corp has been aware of this lone developer since 2015.
"At that time, we discovered an app on the App Store named Adware Medic – a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac," he wrote. "We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor."
It should be said it wasn't exactly the same name: Malwarebytes' app was called AdwareMedic – without a space. Apple's tolerance of similarly named apps explains why there's currently still an app in the App Store called Adware Doctor – Adware Malware Remover, Browser & Mail Cleaner.
Chatting to El Reg, Reed said: "There's definitely a naming issue on the App Store, because this has happened twice, with two different scam apps on the App Store, both using the name Adware Medic. Also, before Apple removed the offending Adware Doctor app earlier today, there were actually two apps, from different developers, with that exact name. (The other remains on the store.) There's also one called Total Adware Doctor."
Reed's post also points the finger at other apps for data harvesting: Open Any Files, Dr. Antivirus, and Dr. Cleaner.
Wardle's analysis delves into the techniques used by Adware Doctor to exfiltrate users' browser history files from Chrome, Firefox, and Safari, a clear violation of user privacy expectations and App Store rules. He notes that the application also collects a list of running processes on the user's device, something that he suggests skirts Apple's app sandboxing mechanism.
Apple declined to comment on the record. The Register, however, has come to understand from people familiar with the App Store's policies that accessing files in the user's home directory is not a violation of sandboxing rules when the user has granted the app permission to do so. Secretly sending browser history files to a remote server, however, represents a violation of App Store Review Guidelines.
Whether system-level process enumeration should be prevented by app sandboxing for an app granted broad permissions to fulfill its purported malware hunting job isn't clear.
Wardle told The Register: "There are conflicting reports about where process enumeration is in fact blocked by the sandbox." In any event, Apple's removal of Adware Doctor makes it clear there was a problem.
The imminent arrival of the next version of macOS, macOS Mojave, should improve the situation. The OS update extends sandboxing protection to browser history and cookies, so even were someone to grant home directory access, the app at least in theory would not be able to access those files.
Reed, however, urges caution. He concludes his post by saying, "It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. ... I strongly encourage you to treat the App Store just like you would any other download location: as potentially dangerous." ®
Sponsored: Webcast: Simplify data protection on AWS