Mac applications distributed via Apple’s official App Store marketplace are collecting and exfiltrating sensitive user data, security researchers have discovered.
The multiple programs exhibiting such behavior send the collected data to the developer’s infrastructure, but some of the data ends up on Chinese servers, “which may not be subject to the same stringent requirements around storage and protection of personally identifiable information like organizations based in the US or EU,” Malwarebytes says.
One of the offending applications is Adware Doctor, which Objective-See’s Patrick Wardle found exfiltrating browser history (targeting Safari, Chrome, and Firefox), a list of all running processes, and a list of software that the user has downloaded (and from where).
To gain access to the list of running processes, the developer found a way to bypass Apple’s sandbox protections. By posing as a security-related app, the software can request file-access permissions that otherwise would not be granted to it.
Despite its malicious purpose, Adware Doctor managed to become highly popular, being the fourth top paid software in the official Mac App Store, and first in the paid utilities section. Apple has removed the software from the store, but it might not be long before it returns.
This has happened in the past. The app first emerged in the Mac App Store a couple of years ago, named Adware Medic, a rip off of Thomas Reed’s highly-successful app with the same name, which became Malwarebytes for Mac. Apple pulled it after being informed on the matter, but within weeks the app returned as Adware Doctor.
“We’ve continued to fight against this app, as well as others made by the same developer, and it has been taken down several times now, but in a continued failure of Apple’s review process, is always replaced by a new version before long,” Malwarebytes’ Thomas Reed explains.
Open Any Files: RAR Support is yet another app that shows a similar behavior, collecting user data in a .zip archive and uploading the file to a developer’s server. Exfiltrated data included complete browsing and search history for Safari, Chrome, and Firefox, and complete App Store browsing history. Recently, the software stopped siphoning said data.
The app was also designed to promote Dr. Antivirus, usually when the user opens an unfamiliar file (often claiming that an infection is preventing the user from opening the file). Reed says Open Any Files dropped on their radar last year and was reported to Apple in December 2017.
Dr. Antivirus, in addition to lacking good detection rates, was also observed exhibiting “the same pattern of data exfiltration as seen in Open Any Files! We saw the same data being collected and also uploaded in a file named file.zip to the same URL used by Open Any Files,” Reed notes.
In addition to browsing history, the file was found to contain detailed information about every application found on the system.
As it turns out, other applications from the same developer have data exfiltration capabilities, including Dr. Cleaner (which doesn’t collect the list of installed applications). The website that promotes these apps appears to be owned by an individual living in China.
The main issue, Reed says, is that Apple allows for such apps to be listed in the official store and that it is sometimes slow to take action on the offending applications, despite researchers’ reports. Thus, users should pay attention when downloading software from the Mac App Store, as some applications could be dangerous.
“It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. I’ve been saying this for several years now, as we’ve been detecting junk software in the App Store for almost as long as I’ve been at Malwarebytes. This is not new information, but these issues reveal a depth to the problem that most people are unaware of,” Reed points out.