Top antivirus tool nuked from macOS App Store – after it phoned browser histories to China

Caution urged on downloads after Apple tears down utility


Apple has removed an app called Adware Doctor:Anti Malware &Ad from the macOS App Store following claims it sent users' browser histories to a remote server in China.

The app's misbehavior was first noted by a security researcher who goes by name Privacyis1st on Twitter and claims to have alerted Apple to the weirdness in early August. What's more, this appears not to be an isolated incident: Malwarebytes on Friday noted that several different macOS App Store apps have been spotted siphoning off folks' data.

Another security researcher, Patrick Wardle, working in conjunction with Privacyis1st, published an analysis of Adware Doctor on Friday, which appears to have encouraged Apple to take action.

As Wardle – an expert in Apple security – noted, Adware Doctor, which sold for $4.99, was the fourth-highest grossing app in the "Paid Utilities" category of the macOS App Store.

Exfiltrated

The developer was identified as "Yongming Zhang." Wardle suggested this may be a reference to "Zhang Yongming," a Chinese serial killer. It's not certain the programmer is Chinese or is based there, but it appears the exfiltrated data was being sent to servers in China.

According to Thomas Reed, director of Mac and mobile security at Malwarebytes, the antivirus corp has been aware of this lone developer since 2015.

"At that time, we discovered an app on the App Store named Adware Medic – a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac," he wrote. "We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor."

It should be said it wasn't exactly the same name: Malwarebytes' app was called AdwareMedic – without a space. Apple's tolerance of similarly named apps explains why there's currently still an app in the App Store called Adware Doctor – Adware Malware Remover, Browser & Mail Cleaner.

Chatting to El Reg, Reed said: "There's definitely a naming issue on the App Store, because this has happened twice, with two different scam apps on the App Store, both using the name Adware Medic. Also, before Apple removed the offending Adware Doctor app earlier today, there were actually two apps, from different developers, with that exact name. (The other remains on the store.) There's also one called Total Adware Doctor."

Reed's post also points the finger at other apps for data harvesting: Open Any Files, Dr. Antivirus, and Dr. Cleaner.

Sandboxed

Wardle's analysis delves into the techniques used by Adware Doctor to exfiltrate users' browser history files from Chrome, Firefox, and Safari, a clear violation of user privacy expectations and App Store rules. He notes that the application also collects a list of running processes on the user's device, something that he suggests skirts Apple's app sandboxing mechanism.

Apple declined to comment on the record. The Register, however, has come to understand from people familiar with the App Store's policies that accessing files in the user's home directory is not a violation of sandboxing rules when the user has granted the app permission to do so. Secretly sending browser history files to a remote server, however, represents a violation of App Store Review Guidelines.

Whether system-level process enumeration should be prevented by app sandboxing for an app granted broad permissions to fulfill its purported malware hunting job isn't clear.

Wardle told The Register: "There are conflicting reports about where process enumeration is in fact blocked by the sandbox." In any event, Apple's removal of Adware Doctor makes it clear there was a problem.

The imminent arrival of the next version of macOS, macOS Mojave, should improve the situation. The OS update extends sandboxing protection to browser history and cookies, so even were someone to grant home directory access, the app at least in theory would not be able to access those files.

Reed, however, urges caution. He concludes his post by saying, "It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. ... I strongly encourage you to treat the App Store just like you would any other download location: as potentially dangerous." ®


Other stories you might like

  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Apple gets lawsuit over Meltdown and Spectre dismissed
    Judge finds security is not a central feature of iDevices

    A California District Court judge has dismissed a proposed class action complaint against Apple for allegedly selling iPhones and iPads containing Arm-based chips with known flaws.

    The lawsuit was initially filed on January 8, 2018, six days after The Register revealed the Intel CPU architecture vulnerabilities that would later come to be known as Meltdown and Spectre and would affect Arm and AMD chips, among others, to varying degrees.

    Amended in June, 2018 the complaint [PDF] charges that the Arm-based Apple processors in Cupertino's devices at the time suffered from a design defect that exposed sensitive data and that customers "paid more for their iDevices than they were worth because Apple knowingly omitted the defect."

    Continue reading
  • Travis CI exposes free-tier users' secrets – new claim
    API can be manipulated to reveal tokens in clear text log data

    Travis CI stands for "Continuous Integration" but might just as well represent "Consciously Insecure" if, as security researchers claim, the company's automation software exposes secrets by design.

    Aqua Security Software on Monday said its researchers had reported a data disclosure vulnerability with the Travis CI API. The response they said they received is that everything is working as intended.

    In a blog post security researchers Yakir Kadkoda, Ilay Goldman, Assaf Morag, and Ofek Itach said they had found tens of thousands of user tokens were accessible through the Travis CI API, which provides a way to fetch clear-text log files.

    Continue reading
  • Inverse Finance stung for $1.2 million via flash loan attack
    Just cryptocurrency things

    A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

    "Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

    And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

    Continue reading

Biting the hand that feeds IT © 1998–2022