[Update 8:54 am PT: Apple has pulled Adware Doctor from the Mac App Store. See below for more.]
Adware Doctor, the number one paid utility in the Mac App Store, is secretly logging the browser history of users, and sending it to a server in China.
Security researcher Patrick Wardle says that he notified Apple of this a month ago, but the malware app still remains available in the Mac App Store today …
Threatpost notes that everything about the app would appear legitimate.
The app is currently listed on Apple’s Mac App Store as the company’s fourth-highest “Top Paid” software programs, behind Final Cut Pro, Magnet and Logic Pro X. It is also the store’s No. 1 paid utility. The app currently costs $4.99, is validly signed by Apple, and its listing on the Mac App Store is accompanied a majority of lavishly positive [likely fake] five-star reviews. Adware Doctor promotes its app as preventing “malware and malicious files from infecting your Mac.”
The app originally posed as Adware Medic, an app owned by Malwarebytes (and subsequently renamed to Malwarebytes for Mac), leading Apple to pull it. But when it changed its name to Adware Doctor, Apple allowed it back into the App Store.
He found that the app creates a password-protected archive called history.zip. It then uploads that file to a server which appears to be based in China. Wardle found that the password was hard-coded, enabling him to open the zip file and examine its contents. He found that it contained browser history from Chrome, Firefox and – yes – Safari.
Wardle notes that sandboxing ought to prevent Mac apps getting access to data belonging to other apps, but that Adware Doctor requests universal access when first run – which would be expected to allow a malware scan, so wouldn’t appear suspicious. However, he found that the app was also able to access running processes, something that sandboxing should still prevent.
Ironically, he found that the app circumvents this protection by using Apple’s own code.
It’s (likely) just a copy and paste of Apple’s GetBSDProcessList code (found in Technical Q&A QA1123 “Getting List of All Processes on Mac OS X”). Apparently this is how one can get a process listing from within the application sandbox! I’m guessing this method is unsanctioned (as it clearly goes against the design goals of sandbox isolation). And yes, rather amusing the code Adware Doctor uses to skirt the sandbox, is directly from Apple!
The app also logs the apps you’ve downloaded, and their source.
As of the time of writing, the server collecting the data is offline, possibly as a result of the attention it has now received, but it could be easily reactivated.
Wardle says his greatest concern is why Apple has left the malware in the Mac App Store a month after he alerted the company to his findings.
Update: We understand Apple’s view is that the app doesn’t defeat sandboxing, since the intention is to ensure users are in control of what apps can and can’t do, and it is users who granted permission. That said, macOS Mojave does increase sandboxing protections, so that even if a user grants permission for total access, it will still protect sensitive information like Safari history and cookies.