Popular Mac Anti-Adware App ‘Surreptitiously Steals’ Your Browsing History, Researchers Say

Researchers allege the developers of Adware Doctor, the 4th highest ranking paid app in the Mac App Store, have found a way to bypass Apple restrictions and collect sensitive user data.

|
Sep 7 2018, 12:00pm

UPDATE, Sept. 7, 11:58 a.m. ET: Apple appears to have removed Adware Doctor from the Mac App Store a few hours after this story was published. The app is not available on the store anymore.

The original story follows below.


A popular app that promises to remove adware and malware from Mac computers is also “surreptitiously stealing” the user’s browser history, according to security researchers.

Adware Doctor, which is currently ranked as the fourth most popular paid app in the Mac App store, collects and sends the browsing history of its users to a server in China in an apparent violation of Apple’s own guidelines and privacy rules for apps, security researcher Patrick Wardle wrote in a blog post published Friday.

Wardle, who is well-known for his research on Mac’s security, said that upon installation Adware Doctor asks users for permission to access the home directory, giving it the ability to access and potentially exfiltrate any file there. The app developers found a way to get around some of Apple’s sandboxing restrictions and download the user’s browsing history as well as a list of all processes running on their computer, according to Wardle and another security researcher that goes by the nickname Privacy1st. (Normally Mac apps are sandboxed, meaning they can’t access all parts of the operating system.)

Read more: Mysterious Mac Malware Has Infected Victims for Years

Wardle analyzed and reverse engineered the app, discovering that it sent a Zip file containing the browsing history and software list to a server in China.

“At no point does Adware Doctor ask to exfiltrate your browser history,” Wardle wrote. “And its access to such data is clearly based on deceiving the user.”

The developers of Adware Doctor, which costs $4.99 dollars right now, did not respond to a request for comment sent via the app’s support portal, the only means of contact that I was able to find. Motherboard spoke to two other security researchers who specialize in MacOS, who both reviewed Wardle’s report and confirmed it was accurate.

For Wardle, the fact that Adware Doctor is able to collect the browsing history and get around some sandboxing restrictions shows that Apple may not be vetting apps that go on the App Store as much as it should or claims to. The researcher said he reached out to Apple to flag the app on August 7 but the company has yet to take any action. (Apple did not respond to a request for comment.)

In 2016, some users got suspicious of Adware Doctor because it was requesting administrative privileges, and experts at the time already discouraged people from installing it. Thomas Reed, a researcher that studies Mac malware at the security firm MalwareBytes said that Adware Doctor is not “outright malicious” since it doesn’t steal more sensitive data such as passwords—though it could in theory because of the permissions it has—but it’s “not legit” given that it actively gets around Apple’s restrictions.

“Any time you see a sandbox escape, there are some shenanigans going on!” Reed told me in an online chat.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv

Moreover, according to Reed, Adware Doctor “also doesn’t really do a good job of scanning for adware. It’s a token effort.”

If you have purchased Adware Doctor, Wardle suggests deleting the app immediately and demanding a refund. He also suggested being more skeptical about the apps that are on the App Store and don’t assume they’re safe just because they’ve been approved by Apple.

“How in god's name is [Adware Doctor] still available for download!?” Wardle told me. “If they truly care about privacy and their users they not only will pull the app, but also refund all the users whose privacy and trust was so blatantly violated.”

Solve Motherboard’s weekly, internet-themed crossword puzzle: Solve the Internet.