Mac App Store apps are stealing user data

Mac App Store apps are stealing user data

There is a concerning trend lately in the Mac App Store. Several security researchers have independently found different apps that are collecting sensitive user data and uploading it to servers controlled by the developer. (This is referred to as exfiltrating the data.) Some of this data is actually being sent to Chinese servers, which may not be subject to the same stringent requirements around storage and protection of personally identifiable information like organizations based in the US or EU.

Adware Doctor

Patrick Wardle has recently posted an article detailing the misbehavior of an app named Adware Doctor, which is exfiltrating the following data:

  • Safari history
  • Chrome history
  • Firefox history
  • A list of all running processes
  • A list of software that you have downloaded and from where

Most of this is data that App Store apps should not be accessing, much less exfiltrating. In the case of the list of running processes, the app had to work around blockages that Apple has in place to prevent such apps from accessing that data. The developers found a loophole that allowed them to access that data despite Apple’s restrictions.

The developer of this app is one that we at Malwarebytes have had our eye on since 2015. At that time, we discovered an app on the App Store named Adware Medic—a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac. We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor.

We’ve continued to fight against this app, as well as others made by the same developer, and it has been taken down several times now, but in a continued failure of Apple’s review process, is always replaced by a new version before long.

Open Any Files: RAR Support

This app came onto our radar late last year. We’ve seen a number of different scam applications like this, which hijack the system’s functionality for handling documents that the user does not have an appropriate app to open, as a means for advertising other products…most often scams. The typical behavior is that, when the user opens an unfamiliar file, this app (and others like it) opens and promotes some antivirus software for scanning the file or the computer, often telling the user that they might be unable to open the file because they are infected.

Interestingly, this software was designed to promote a what appeared to be a mainstream antivirus product. This seemed like an abuse of an affiliate program for that product.

It turned out that this app’s behavior was very similar to the current behavior of Adware Doctor. It was uploading a file named file.zip to the following URL:

update.appletuner.trendmicro.com/1/upload/search_keywords/

This file contained the following data:

  • Complete Safari browsing and search history
  • Complete Chrome browsing and search history
  • Complete Firefox browsing and search history
  • Complete App Store browsing history

We reported this app to Apple in December 2017. It is still present on the App Store.

As we were investigating, we found it very odd that Open Any Files was promoting Dr. Antivirus on the App Store. This led us to investigate Dr. Antivirus, as well as a number of other apps.

(Recently, Open Any Files stopped exfiltrating this data, but we have retained the evidence from our observations.)

Dr. Antivirus

On investigating, we learned that this app, like most Mac App Store apps, is limited in what it can detect to begin with, due to restrictions imposed by the App Store. However, even within the user folder, most of antivirus apps in the App Store don’t have a good detection rate, and this was no exception.

Worse, however, was that we observed the same pattern of data exfiltration as seen in Open Any Files! We saw the same data being collected and also uploaded in a file named file.zip to the same URL used by Open Any Files.

This file, though, contained an interesting bonus. In addition to the browsing history, it also contained an interesting file named app.plist, which contained detailed information about every application found on the system. (See a short excerpt from the file below, showing only the information listed for Dr. Antivirus.)

It could be argued that it is useful for antivirus software to collect certain limited browsing history leading up to a malware/webpage detection and blocking. But it is very hard to argue to exfiltrate the entire browsing history of all installed browsers regardless of whether the user has encountered malware or not. In addition, there was nothing in the app to inform the user about this data collection, and there was no way to opt out of this data collection.

Dr. Cleaner

Unfortunately, other apps by the same developer are also collecting this data. We observed the same data being collected by Dr. Cleaner, minus the list of installed applications. There is really no good reason for a “cleaning” app to be collecting this kind of user data, even if the users were informed, which was not the case.

Interestingly, we found that the drcleaner[dot]com website was being used to promote these apps. WHOIS records identified an individual living in China, and having a foxmail.com email address, as being the registered owner of the domain.

What does all this mean?

It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. I’ve been saying this for several years now, as we’ve been detecting junk software in the App Store for almost as long as I’ve been at Malwarebytes. This is not new information, but these issues reveal a depth to the problem that most people are unaware of.

We’ve reported software like this to Apple for years, via a variety of channels, and there is rarely any immediate effect. In some cases, we’ve seen offending apps removed quickly, although sometimes  those same apps have come back quickly (as was the case with Adware Doctor). In other cases, it has taken as long as six months for a reported app to be removed.

In many cases, apps that we have reported are still in the store. Case in point…all of the above.

I strongly encourage you to treat the App Store just like you would any other download location: as potentially dangerous. Be cautious of what you download. A free app from the App Store may seem perfectly innocent and harmless, but if you have to give that app access to any of your data as part of its expected functionality, you can’t know how it will use that data. Worse, even if you don’t give it access, it may find a loophole and get access to sensitive data anyway.

If you download one of these apps and are now regretting it, you can report the app to Apple:

https://reportaproblem.apple.com

Special thanks

Thanks go to folks who have spent their spare time finding and poking at these applications over the last year: PeterNopSled (from the Malwarebytes forums), @privacyis1st, and Patrick Wardle.

ABOUT THE AUTHOR

Thomas Reed

Director of Mac & Mobile

Had a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.