Apple Finally Boots Sneaky Adware Doctor App from Mac App Store

macOS zero day flaw

Hours after researchers publicly disclosed an app that was caught stealing and uploading browser history data, Apple removed it from the Mac App Store.


Apple removed the top-rated app Adware Doctor from its official Mac App Store after researchers publicly exposed the privacy-busting app on Friday. The app was removed the same day. In addition to Adware Doctor, Apple also took action against a number of different macOS apps that also collected browser history data.

Apple was initially alerted to the rogue app in early August – over a month ago. But it appears, only after faced with public scrutiny, did Apple remove the app. The app, which cost $5, was listed on Apple’s Mac App Store as the company’s fourth-highest “Top Paid” software program.

Researchers said the app violates Apple’s sandboxing security policies by surreptitiously copying a user’s entire browser history and cookies and sending both to a China-based domain.

The researcher that goes by the Twitter handle @privacyis1st is credited for first spotting the app early last month. After discovering the app, the researcher reached out to Patrick Wardle, chief research officer at Digita Security and founder of Mac security company Objective-See, to assist in analyzing the app.

“We tore apart Adware Doctor… [and] our research uncovered blatant violations of user privacy and complete disregard of Apple’s App Store Guidelines,” Wardle wrote in a technical analysis of the app posted on Friday. “There is rather a massive privacy issue here. Let’s face it, your browsing history provides a glimpse into almost every aspect of your life.”

Last week, Apple did not answer Threatpost’s questions as to why the app wasn’t removed sooner. The company has publicly said that the sandboxing issues tied to the data exfiltration of browser histories and cookies has been fixed in its upcoming Mojave macOS.

In a separate report, additional macOS apps were also flagged for violating Apple’s security rules for developers. Mac App Store applications identified as “Open Any Files” and “Dr. Antivirus” and “Dr. Cleaner” were also observed exfiltrating Safari, Chrome and Firefox browsing and search histories.

The apps were identified by Malwarebytes, who notified Apple of the behavior of the app Open Any Files in December 2017. On Sunday, all three of the apps were removed from the Apple Mac App Store, according to a report by publication 9to5Mac’s Guilherme Rambo.  ‏

On Monday Trend Micro moved to set the record straight on apps it distributed: Dr Cleaner, Dr Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery and Duplicate Finder. It said in a blog post that the apps were being unfairly characterized as duplicitous.

“Reports that Trend Micro is ‘stealing user data’ and sending them to an unidentified server in China are absolutely false,” it wrote in a statement. The company acknowledged that its apps “collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation.” It explained it this way:

This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service). The potential collection and use of browser history data was explicitly disclosed in the applicable EULAs and data collection disclosures accepted by users for each product at installation (see, for example, the Dr Cleaner data collection disclosure here: The browser history data was uploaded to a U.S.-based server hosted by AWS and managed/controlled by Trend Micro.

Trend Micro then followed up with an update that read:

We have taken action and have 3 updates to share with all of you.

First, we have completed the removal of browser collection features across our consumer products in question. Second, we have permanently dumped all legacy logs, which were stored on US-based AWS servers. This includes the one-time 24 hour log of browser history held for 3 months and permitted by users upon install. Third, we believe we identified a core issue which is humbly the result of the use of common code libraries. We have learned that browser collection functionality was designed in common across a few of our applications and then deployed the same way for both security-oriented as well as the non-security oriented apps such as the ones in discussion. This has been corrected.

The company is not affiliated with the Open Any Files, mentioned by Malwarebytes.

“We’ve reported software like this (Open Any Files) to Apple for years, via a variety of channels, and there is rarely any immediate effect,” wrote Thomas Reed, director of Mac and Mobile at Malwarebytes. “In some cases, we’ve seen offending apps removed quickly, although sometimes  those same apps have come back quickly (as was the case with Adware Doctor). In other cases, it has taken as long as six months for a reported app to be removed.”

Reed contends that Adware Doctor was originally listed in 2015 as Adware Medic. Reed said he complained to Apple that Adware Medic was a copy of his own app (also called Adware Medic). “It was eventually removed, but was replaced soon after by an identical app named Adware Doctor,” he said.

(This article was updated on 9/11/2018 at 9:30am ET to include comments from Trend Micro.)

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.