Apple took down one of the top paid apps in the Mac App Store that was stealing browser history from its users and sending it to servers that appeared to be based in China. The app, Adware Doctor, removes malicious files and malware from Mac. Moreover, Patrick Wardle security researcher, found that the app was also collecting user data, including browser history, without consent and sending it to the Chinese server.
Apple confirmed that it removed the app but before it could take down. Adware Doctor had already reached the No. 1 spot in the paid utility app category and ranked fourth in top paid apps overall.
If the report is accurate as said by Patrick Wardle, Apple was aware of the malicious behavior of the app publishers for weeks, but it still hasn’t done anything about it. Wardle, while found the problem, discovered that the app creates a password-protected history zip and uploads the file to the server. He conducted a thorough analysis to determine how Adware Doctor steals your browsing history and where it sends the data.
After the analysis, he found that:
It’s (likely) just a copy and paste of Apple’s GetBSDProcessList code (found in Technical Q&A QA1123 “Getting List of All Processes on Mac OS X”). Apparently this is how one can get a process listing from within the application sandbox! I’m guessing this method is unsanctioned (as it clearly goes against the design goals of sandbox isolation). And yes, rather amusing the code Adware Doctor uses to skirt the sandbox, is directly from Apple!
He explains this unethical behavior as; Adware Doctor jumps through some hoops to steal and then upload your browser history from Chrome, Safari, and Firefox; the data is then compressed and sent to a server in China, where ‘something is done’ with it.
At no position does Adware Doctor ask to exfiltrate your browser history. And its reach to this very private data is clearly based on deceiving the user. – Patrick Wardle
Where the company themselves confirm that they prohibit such apps that collect data without consent, Wardle questions that why Apple has left the malware in the Mac App Store for a month despite alerting the company about his findings.
Note: This is to inform our readers about the finding of a researcher who a top paid app collects data. Apple has taken corrective measures to safeguard its users.