Apple has removed a top Mac app called Adware Doctor, designed to "prevent malware and malicious files from infecting your Mac," which, according to security researchers Patrick Wardle and Privacy 1st, was collecting users' browsing history without their consent, violating Apple's policies.
Wardle, who shared his findings with TechCrunch, found that Adware Doctor requested access to users' home directory and files — not unusual for an anti-malware or adware app that scans computers for malicious code — and used that access to collect Chrome, Safari, and Firefox browsing history, and recent App Store searches. The data is then zipped in a file called "history.zip" and sent to a server based in China via "adscan.yelabapp.com." Two independent security researchers confirmed to Motherboard that Wardle's report was accurate.
Mac apps are protected by "sandboxing," meaning apps can't access parts of the computer's file system the user hasn't granted permissions to. In this case, sandboxing protections were not bypassed. The user granted access to the home directory and its files, and the app did not explicitly gain consent for what it was doing with that access.
In his blog post, Wardle noted, "The fact that application has been surreptitiously exfiltrating users' browsing history, possibly for years, is, to put it mildly, rather f#@&'d up!"
Security researcher Privacy 1st tweeted that they initially contacted Apple about the Adware Doctor issue on Aug. 12.
What is sad is that it was reported by me on 12th of August and Apple didn't even care... Attached are email screenshots https://t.co/v6G783h1rA
Apple confirmed to BuzzFeed News on Friday that it has removed the app from its Mac App Store, but did not offer further comment. Adware Doctor did not immediately respond to a request for comment.
The next release of macOS, macOS Mojave, will protect content like Safari History or cookies from apps, even those to which users have granted access to their home directory.
Adware Doctor, which costs $5, was the top paid app in the "Utilities" category, and the fifth top paid app overall, before it was removed Friday. The app appears to violate the App Store's "Data Collection and Storage" guidelines, which prohibit developers from "surreptitiously discovering private data" or collecting data without consent. It is unclear whether customers who purchased the app will receive a refund.
More Mac applications, that researchers found were deploying similar techniques as Adware Doctor, have been removed from the Mac App Store. On Sept. 7, Komros Anti Malware & Adware, which was purportedly published under a second account belonging to the developer of Adware Doctor, was pulled. Director of security software Malwarebytes Labs Thomas Reed also reported that Open Any Files, Dr. Antivirus, and Dr. Cleaner were also sending the same data to a remote server. 9to5Mac reported that those apps were removed on Sept. 9. Apple did not respond to BuzzFeed News' request for comment.
@objective_see @Apple @privacyis1st It's the same developer as the "Komros Anti Malware & Adware" MAS app, only using a different name. Uses the same URLs to send the user data to. Both apparently steal browser history, google search history, MAS search history.
UPDATE
This post was updated to include a tweet from Privacy 1st, which shows emails sent to Apple.
UPDATE
Added information about the upcoming release of macOS Mojave, which will protect users' Safari history and cookies from this kind of access abuse.
UPDATE
More information on additional apps that were removed from the App Store has been added to the story.