Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Mac Apps From Apple’s App Store Steal User Data, Researchers Say

Mac applications distributed via Apple’s official App Store marketplace are collecting and exfiltrating sensitive user data, security researchers have discovered. 

Mac applications distributed via Apple’s official App Store marketplace are collecting and exfiltrating sensitive user data, security researchers have discovered. 

The multiple programs exhibiting such behavior send the collected data to the developer’s infrastructure, but some of the data ends up on Chinese servers, “which may not be subject to the same stringent requirements around storage and protection of personally identifiable information like organizations based in the US or EU,” Malwarebytes says. 

One of the offending applications is Adware Doctor, which Objective-See’s Patrick Wardle found exfiltrating browser history (targeting Safari, Chrome, and Firefox), a list of all running processes, and a list of software that the user has downloaded (and from where). 

To gain access to the list of running processes, the developer found a way to bypass Apple’s sandbox protections. By posing as a security-related app, the software can request file-access permissions that otherwise would not be granted to it.

Despite its malicious purpose, Adware Doctor managed to become highly popular, being the fourth top paid software in the official Mac App Store, and first in the paid utilities section. Apple has removed the software from the store, but it might not be long before it returns.

This has happened in the past. The app first emerged in the Mac App Store a couple of years ago, named Adware Medic, a rip off of Thomas Reed’s highly-successful app with the same name, which became Malwarebytes for Mac. Apple pulled it after being informed on the matter, but within weeks the app returned as Adware Doctor. 

“We’ve continued to fight against this app, as well as others made by the same developer, and it has been taken down several times now, but in a continued failure of Apple’s review process, is always replaced by a new version before long,” Malwarebytes’ Thomas Reed explains

Open Any Files: RAR Support is yet another app that shows a similar behavior, collecting user data in a .zip archive and uploading the file to a developer’s server. Exfiltrated data included complete browsing and search history for Safari, Chrome, and Firefox, and complete App Store browsing history. Recently, the software stopped siphoning said data. 

The app was also designed to promote Dr. Antivirus, usually when the user opens an unfamiliar file (often claiming that an infection is preventing the user from opening the file). Reed says Open Any Files dropped on their radar last year and was reported to Apple in December 2017. 

Dr. Antivirus, in addition to lacking good detection rates, was also observed exhibiting “the same pattern of data exfiltration as seen in Open Any Files! We saw the same data being collected and also uploaded in a file named to the same URL used by Open Any Files,” Reed notes. 

In addition to browsing history, the file was found to contain detailed information about every application found on the system. 

As it turns out, other applications from the same developer have data exfiltration capabilities, including Dr. Cleaner (which doesn’t collect the list of installed applications). The website that promotes these apps appears to be owned by an individual living in China.

The main issue, Reed says, is that Apple allows for such apps to be listed in the official store and that it is sometimes slow to take action on the offending applications, despite researchers’ reports. Thus, users should pay attention when downloading software from the Mac App Store, as some applications could be dangerous.

“It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. I’ve been saying this for several years now, as we’ve been detecting junk software in the App Store for almost as long as I’ve been at Malwarebytes. This is not new information, but these issues reveal a depth to the problem that most people are unaware of,” Reed points out. 

Related: Macs Infected With New Monero-Mining Malware

Related: ‘MaMi’ Mac Malware Hijacks DNS Settings

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Endpoint Security

The Zero Day Dilemma

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...