[Update 8:54 am PT: Apple has pulled Adware Doctor from the Mac App Store. See below for more.]
Adware Doctor, the number one paid utility in the Mac App Store, is secretly logging the browser history of users, and sending it to a server in China.
Security researcher Patrick Wardle says that he notified Apple of this a month ago, but the malware app still remains available in the Mac App Store today …
Threatpost notes that everything about the app would appear legitimate.
The app originally posed as Adware Medic, an app owned by Malwarebytes (and subsequently renamed to Malwarebytes for Mac), leading Apple to pull it. But when it changed its name to Adware Doctor, Apple allowed it back into the App Store.
Wardle did a deep dive into the app to find out what it was doing, after being alerted to it by Privacy 1st.
He found that the app creates a password-protected archive called history.zip. It then uploads that file to a server which appears to be based in China. Wardle found that the password was hard-coded, enabling him to open the zip file and examine its contents. He found that it contained browser history from Chrome, Firefox and – yes – Safari.
Wardle notes that sandboxing ought to prevent Mac apps getting access to data belonging to other apps, but that Adware Doctor requests universal access when first run – which would be expected to allow a malware scan, so wouldn’t appear suspicious. However, he found that the app was also able to access running processes, something that sandboxing should still prevent.
Ironically, he found that the app circumvents this protection by using Apple’s own code.
The app also logs the apps you’ve downloaded, and their source.
As of the time of writing, the server collecting the data is offline, possibly as a result of the attention it has now received, but it could be easily reactivated.
Wardle says his greatest concern is why Apple has left the malware in the Mac App Store a month after he alerted the company to his findings.
Update: We understand Apple’s view is that the app doesn’t defeat sandboxing, since the intention is to ensure users are in control of what apps can and can’t do, and it is users who granted permission. That said, macOS Mojave does increase sandboxing protections, so that even if a user grants permission for total access, it will still protect sensitive information like Safari history and cookies.