A top-grossing Apple App Store program called Adware Doctor is capable of sidestepping macOS security controls and surreptitiously copying a user’s entire browser history. It then sends it to a China-based domain.
According to Patrick Wardle, chief research officer at Digita Security and founder of Mac security company Objective-See, Apple was informed of Adware Doctor’s suspicious functionality last month, but has failed to take action.
The app is currently listed on Apple’s Mac App Store as the company’s fourth-highest “Top Paid” software programs, behind Final Cut Pro, Magnet and Logic Pro X. It is also the store’s No. 1 paid utility. The app currently costs $4.99, is validly signed by Apple, and its listing on the Mac App Store is accompanied a majority of lavishly positive five-star reviews. Adware Doctor promotes its app as preventing “malware and malicious files from infecting your Mac.”
“We tore apart Adware Doctor… [and] our research uncovered blatant violations of user privacy and complete disregard of Apple’s App Store Guidelines,” Wardle wrote in a technical analysis of the app posted on Friday. “There is rather a massive privacy issue here. Let’s face it, your browsing history provides a glimpse into almost every aspect of your life.”
In a technical breakdown of the app Wardle points out that, as is with similar “security” tools, Adware Doctor needs legitimate access to user’s files and directories in order to scan for malicious code.
“Once the user has clicked ‘allow,’ since Adware Doctor requested permission to the user’s home directory, it will have carte blanche access to all the user’s files,” he wrote. This allows the app to detect and clean adware, but to “also collect and exfiltrate any user file it so chooses.”
The scope of data collected by the app, such as the aforementioned browser histories, is beyond what’s required for the app to work as advertised, he said. He also said that collecting “the user’s browsing history seem[s] to be a blatant violation of the user’s privacy (and of course Apple’s strict Mac App Store rules).”
The developer of Adware Doctor is identified as Yongming Zhang. Questions sent to the company by Threatpost were not returned by the time of publication. Similarly, when Threatpost reached out to Apple, the company did not return requests for comment.
Wardle’s investigation was sparked by Twitter user @privacyis1st, who tweeted concerns regarding the app: “Top Sold MacOS AppStore application is ROGUE. Adware Doctor is stealing your privacy.” The user also posted a proof-of-concept demo of how the browser history is exfiltrated.
Top Sold MacOS AppStore application is ROGUE. Adware Doctor is stealing your privacy. PoC: https://t.co/LmveX593q0#malware #virus #MacOS #Apple #MacBook #MacBookPro #CyberSecurity #privacy #GDPR #Hacking #hackers #cyberpunk #Alert
— Privacy 1st (@privacyis1st) August 20, 2018
“@privacyis1st contacted me after his efforts to contact Apple seemed to go nowhere,” Wardle said. “We collaborated. I dug into the app a little more. But all credit goes to him for originally finding the issue.”
How It Works
The researcher noted that the app is programmed with logic that allows it to side-step Apple’s sandbox controls to access legit processes,. But it also gains entry to ones that it should not have access to – such as “collectBrowserHistoryAndProcess.”
“Adware Doctor gains permission to [access] user files via the ‘com.apple.security.files.user-selected.read-write’ entitlement and explicit user approval, per the sandbox design,” Wardle wrote, adding that this process should not allow the listing of other running processes.
“Enumerating running processes (from within the sandbox) is a ‘no-no,'” he said.
The technical process outlined in Wardle’s write-up spells out how Adware Doctor escapes Apple’s app sandbox and calls processes tied to browsers Safari, Chrome and Firefox, and compresses history data into a ZIP archive for exfiltration.
“This file, along with a JSON blob containing a list of any software (.dmgs or .pkgs you’ve downloaded, and from where) is then uploaded to the server via a call to the sendPostRequestWithSuffix method (note the API endpoint: checkadware),” he wrote.
Data is exfiltrated to a domain (yelabapp[.]com) tied to a DNS record pointing to a China host.
A Likely Violation of Apple’s Privacy Rules
“The fact that application has been surreptitiously exfiltrating users’ browsing history, possibly for years, is, to put it mildly, rather f#@&’d up!” Wardle wrote. “Apple blocks the invocation of ps illustrates the fact that sandboxed applications should not be enumerating running processes from within the sandbox. If an application developer finds away around this, this is still a violation.”
Wardle believes the app runs afoul of several Apple App Store rules and policies. For starters, Apple’s data collection and storage rules state:
- Apps that collect user or usage data must secure user consent for the collection.
- Apps must respect the user’s permission settings and not attempt to… trick, or force people to consent to unnecessary data access.
- Developers that use their apps to surreptitiously discover…private data will be removed from the Developer Program.
The researchers reached out to Apple and shared their concerns with the Apple App Store review team. Several days later, on Aug. 8, Apple replied, acknowledging receipt of the security concerns and requesting more details. On Aug. 12, Apple followed up by stating: “Because we can only share communications about an app with its developer, you will not receive updates in this manner.”
As of this writing, the Adware Doctor app is still prominently featured in Apple’s Mac App Store.
Adware Doctor has a history of questionable behavior, according to Wardle.
He asserts that the software was found abusing an AppleScript in 2016, in “an apparent attempt to perform elevated applications (in violation of Apple’s App Store Guidelines).” Furthermore, Wardle claims many of the reviews made on Adware Doctor’s behalf in Apple’s Mac App Store are likely fraudulent.
According to Apple, Adware Doctor has received 7,149 reviews with 6,278 of them five-star; there are also 58 three-star reviews. Wardle cites an Apple Insider forum post discussing the likelihood of Adware Doctor’s reviews being “fake.”
“The good news is, Apple can decisively act, restoring our faith in…the Mac App Store, but more importantly in their commitment to all us users,” Wardle wrote. “How? Easy! By pulling the app and refunding all affected users. As though we’ll never get our browser history back, recovering our hard-earned money would be a start!”