Whenever you use your computer or any other device connected to the Internet, you have to consider the possibility of it being compromised in some way. It doesn’t mean you have to be on guard all the time – just take certain precautions, don’t put yourself under unnecessary risks while browsing and everything should be alright. Sometimes, however, the attack may come from where you don’t expect it at all – like from software you considered legitimate. Such is the case with Adware Doctor:Anti Malware &Ad that was removed from Apple’s App Store following accusations of it collecting browsing histories and transferring them to a remote server in China. It also had access to iTunes search history and other software.
This activity was first discovered by the security researcher with the Twitter handle of Privacyis1st. He says he notified Apple about the proceedings as early as the beginning of August, which raises the question of why the action has only been taken now. Had the Adware Doctor:Anti Malware &Ad analysis created by another security researcher, Patrick Wardle in conjunction with Privacyis1st not been published on September 7, the situation might’ve been kept under wraps even longer. Furthermore, there’s a report by Malwarebytes, released on the same day, that several other App Store apps have been caught spying on their users as well, gathering their personal data.
One of the reasons for Apple not interfering for so long might’ve been monetary – Wardle notes that Adware Doctor:Anti Malware &Ad sold for $4.99 and was the fourth highest-grossing app in the “Paid Utilities” section of the App Store, having a number of five-star reviews (the legitimacy of which is debatable). He also suggested that the name its developer has been identified by, Yongming Zhang, might be a reference to Zhang Yongming, a Chinese serial killer. Whether the app’s creator is actually Chinese or not remains to be seen, but the stolen information being sent to Chinese servers is pretty much definite.
Thomas Reed, director of Mac and mobile security at Malwarebytes, says that the company had Yongming Zhang in its sights since 2015. He/she came to their attention when they found Adware Medic on the App Store, which was “a direct rip-off” of Reed’s own application with basically the same name (AdwareMedic) that later became Malwarebytes for Mac. The firm got in touch with Apple and requested the app to be removed, but while the company eventually complied, Adware Medic was soon replaced by a completely identical Adware Doctor. Apple’s policy allows for similarly named apps to be put on sale and that also explains why it hasn’t been removed for so long.
Reed, talking to El Reg, also said that “there’s definitely a naming issue on the App Store, because this has happened twice, with two different scam apps on the App Store, both using the name Adware Medic. Also, before Apple removed the offending Adware Doctor app earlier today, there were actually two apps, from different developers, with that exact name. (The other remains on the store.) There’s also one called Total Adware Doctor.” According to Reed, Open Any Files, Dr. Antivirus, and Dr. Cleaner are known to collect personal data as well.
Going back to Patrick Wardle’s analysis of Adware Doctor:Anti Malware &Ad, it takes a deep look at the techniques the application employs when gathering browsing history from Chrome, Firefox and Safari. It should be noted that this is a direct violation of App Store rules and user privacy expectations. Wardle also points out the fact that Adware Doctor:Anti Malware &Ad collects a list of the processes that are running on the device and suggests that it’s something that skirts Apple’s app sandboxing mechanism. Apple itself has declined to comment on it, but the Register has come to understand from people familiar with the App Store’s policies that accessing files in user’s home directory isn’t considered a violation of sandboxing rules in case of the user giving the application permission to do so. But browsing history being sent to a remote server is just that, with App Store Review Guidelines explicitly mentioning it.
It isn’t clear whether app sandboxing should stop system-level process enumeration for an app that was given broad permissions to fulfill its purported malware hunting job. According to Wardle, the reports on whether the sandbox blocks process enumeration are conflicted. However, one thing is perfectly clear – Apple eliminating Adware Doctor:Anti Malware &Ad from the store says that the issue was actually there and that it needed to be addressed. The good news is, things should improve in the upcoming macOS Mojave, as it extends sandboxing protection to browsing history and cookies. This means that even if the user gives his permission for the application to access home directory, it shouldn’t be able to do so. Or, at the very least, this is what this piece of information suggests.
But Thomas Reed is skeptical towards it. He says that “it’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. … I strongly encourage you to treat the App Store just like you would any other download location: as potentially dangerous.”
As of now, Adware Doctor:Anti Malware &Ad has ceased data collection and the server it transferred it to appears to be offline. Of course, it doesn’t mean it’s permanent and the operations could easily be resumed at any moment. That’s why it’s important to always try and gather some information on apps that interest you and not base your choice solely on reviews. Adding to that, keep your security software updated and running all the time – even though some threats are able to bypass it, it still provides you with additional protection and lowers the chances of them being successful in doing so, which is what really matters.