Top Mac App Store utility 'Adware Doctor' is stealing user information [u]

Posted:
in General Discussion edited September 7
Security researcher Patrick Wardle says one of the most popular apps on the Mac App Store "surreptitiously exfiltrates highly sensitive user information" and is likely exporting it to China.

The Mac App Store's Adware Doctor


On his website Objective-See.com, in collaboration with a Twitter account, called @privacyis1st, which was first to spot the issue, Wardle lays out the case that Adware Doctor is stealing users' browser histories.

Wardle also says that he and @privacyis1st told Apple about the issue a month ago, but that the $4.99 Adware Doctor app -- from a mysterious developer named "Yongming Zhang" -- was available in the Mac App Store early Friday. The app has since disappeared from the storefront.

Wardle first accused the app of having abused AppleScript in 2016, and of leaving fake reviews. But then he and the @privacyis1st account demonstrate, through static and dynamic analysis, that Adware Doctor is taking its users' browser history and exfiltrating it.









The conclusion is that Apple, which touts safety and high standards when it comes to the apps it allows in its stores, has allowed a bad actor with a high spot in its rankings to manipulate the system and steal user data. And, despite Wardle having told Apple over a month ago, the company has done nothing about it.

"First, there is rather a MASSIVE privacy issue here. Let's face it, your browsing history provides a glimpse into almost every aspect of your life. And people have even been convicted of murder based largely on their internet searches," Wardle writes. "The fact that application has been surreptitiously exfiltrating users' browsing history, possibly for years, is, to put it mildly, rather f#@&'d up!"

He concludes by asking Apple again to take down the app and refund users.

Patrick Wardle, who formerly worked for the National Security Agency, is the founder and chief research officer of Digita Security. While he has a long body of Apple-related security work going back several years, recently he demonstrated the WINDSHIFT APT exploit in macOS, and he also discovered a separate "synthetic click" problem, also in macOS.

Updated to reflect Adware Doctor's removal from the Mac App Store.

Comments

  • Reply 1 of 19
    roakeroake Posts: 585member
    Time to ramp up the tariffs.
    mac_dogboltsfan17watto_cobra
  • Reply 2 of 19
    Apple needs to clamp down more aggressively on stuff like this. And more openly, so that others get the message. 
    mac_dogdysamoriastevenozcaladanianwatto_cobra
  • Reply 3 of 19
    Unbelievable. I tried reporting this in the Mac App Store app but there is no such option! I tried leaving a review to warn others to not download the app, but you are required to buy the app before it lets you write a review. 

    I haven't been able to find the developer's website. The very first thing that comes up when searching the developer's name is that "Yongming Zhang" was a serial killer in China (he fed the flesh of his victims to innocent people):
    https://en.wikipedia.org/wiki/Zhang_Yongming

    Also, this developer is already known for being --at the very least-- deceiving. He's been caught making 5 start self-reviews repeatedly, like how this AI forum member reported here:
    https://forums.appleinsider.com/discussion/192947/mac-appstore-apps-with-fake-reviews

    This guy is probably an agent of the Chinese government syphoning browsing history data back to their intelligence unit so they can identify high-value American individuals (corporate or government) for hacking and espionage. Or equally worse, identifying computers with weak security for bank account thefts. Apple has to start cracking down HARD on data thieves (especially when it comes to national security issues). A great example to follow is what Valve does in Steam. If Valve finds developers making self-reviews, or posting fake reviews on Steam on of their games, they ban the developer ENTIRELY, along with ALL their games.
    https://arstechnica.com/gaming/2018/02/valve-bans-developer-after-employees-leave-fake-user-reviews/

    And mind you, this is just for making fake reviews. Yongming Zhang is guilty of the far more serious crime of stealing user data and sending it to China. This developer has to get his account banned permanently from all Apple platforms, Google and Microsoft should also be notified to take action, and be reported to the authorities. This is no joke.
    edited September 7 asdasdboltsfan17racerhomie3dysamoriastevenozlostkiwicaladanianwatto_cobra
  • Reply 4 of 19
    gatorguygatorguy Posts: 19,042member
    I think it might be worse than this.

    I believe iGallery for Instagram, Komros Adware Remover, 1Doc: Word Processor for Writer, and Flixmate (a Netflix streamer for Mac) may also be coming from this same developer under other aliases.  All are highly rated, tho how they accomplished that is questionable. 

    EDIT: AdBlock Master is yet another. Serious stuff....
    Found this link that solidly associates those other names and apps with the likely-fake "Yongming Zhang" and Adware Doctor, confirming my earlier suspicions. 
     
    https://www.storefollow.com/dev/id1040450370
    edited September 7 muthuk_vanalingamdysamorialostkiwiwonkothesane
  • Reply 5 of 19
    macguimacgui Posts: 853member
    Apple needs to clamp down more aggressively on stuff like this. And more openly, so that others get the message. 
    This.

    Apple happily trots out data at Events as to how many apps are in the Store, and at WWDC, how many credit cards are on file with Apple.

    We are offered up as fodder for Devs, cash cows. With 2M+ apps, maybe Apple could slow down the admission process somewhere, somehow, and ramp up vetting and the investigation of claims against an app or Dev.

    We'll probably never have enough transparency to see how Apple is investigating complaints and their response, but I'm ok with that as long as they are investigating and taking appropriate action.


    anantksundaramdysamoriawatto_cobra
  • Reply 6 of 19
    asdasdasdasd Posts: 5,102member
    gatorguy said:
    I think it might be worse than this.

    I believe iGallery for Instagram, Komros Adware Remover, 1Doc: Word Processor for Writer, and Flixmate (a Netflix streamer for Mac) may also be coming from this same developer under other aliases.  All are highly rated, tho how they accomplished that is questionable. 

    EDIT: AdBlock Master is yet another. Serious stuff....
    Found this link that solidly associates those other names and apps with the likely-fake "Yongming Zhang" and Adware Doctor, confirming my earlier suspicions. 
     https://www.storefollow.com/dev/id1040450370
    Theres a Total Adware Blocker as well. Not sure if it is the same guy. 
  • Reply 7 of 19
    gatorguygatorguy Posts: 19,042member
    asdasd said:
    gatorguy said:
    I think it might be worse than this.

    I believe iGallery for Instagram, Komros Adware Remover, 1Doc: Word Processor for Writer, and Flixmate (a Netflix streamer for Mac) may also be coming from this same developer under other aliases.  All are highly rated, tho how they accomplished that is questionable. 

    EDIT: AdBlock Master is yet another. Serious stuff....
    Found this link that solidly associates those other names and apps with the likely-fake "Yongming Zhang" and Adware Doctor, confirming my earlier suspicions. 
     https://www.storefollow.com/dev/id1040450370
    Theres a Total Adware Blocker as well. Not sure if it is the same guy. 


    I'm not seeing that one.  Link?

    But add InstaMaster to the list if it's still available. This looks worse and worse the more you dig. Fortunately most apps seem to be relatively new (not this one) and have limited downloads so far so the damage can still be controlled.
    edited September 7 muthuk_vanalingam
  • Reply 8 of 19
    roake said:
    Time to ramp up the tariffs.
    It's pretty amazing what China gets away. It's mind boggling how they haven't been kicked out of the WTO yet. 
    racerhomie3watto_cobra
  • Reply 9 of 19
    gatorguygatorguy Posts: 19,042member
    roake said:
    Time to ramp up the tariffs.
    It's pretty amazing what China gets away. It's mind boggling how they haven't been kicked out of the WTO yet. 
    Just got a chance to watch the entire video linked in the AI article and the researcher also called out Komros (about the 13 min mark), one that I mentioned earlier, as another app doing a bit more than users might think so that's additional confirmation. 
    edited September 7 muthuk_vanalingamdysamoria
  • Reply 10 of 19
    gatorguygatorguy Posts: 19,042member
    Apple has now removed Adware Doctor from its store. Don't stop there....
    muthuk_vanalingamdysamoriacaladanian
  • Reply 11 of 19
    According to MacRumors, "AdBlock Master" was also removed.
    gatorguydysamoriacaladanian
  • Reply 12 of 19
    gatorguygatorguy Posts: 19,042member
    More info: 

    As Mac is sand-boxed you'd assume that what this app could harvest from other apps and especially running services would be blocked and/or severely limited. Reportedly it was not. How did it bypass those restrictions??

    As explained by the researcher: "It’s (likely) just a copy and paste of Apple’s GetBSDProcessList code (found in Technical Q&A QA1123 “Getting List of All Processes on Mac OS X”). Apparently this is how one can get a process listing from within the application sandbox! I’m guessing this method is unsanctioned (as it clearly goes against the design goals of sandbox isolation). And yes, rather amusing the code Adware Doctor uses to skirt the sandbox, is directly from Apple!"
    edited September 7 muthuk_vanalingamdysamoriastevenoz
  • Reply 13 of 19
    gatorguygatorguy Posts: 19,042member
    According to MacRumors, "AdBlock Master" was also removed.
    at least 4 more to go...

    Edit: Just takes a little publicity to get Apple's attention. ;)
    They've now stated the upcoming Mojave sandboxing will prevent so much user exposure, and Safari browsing history will no longer be as easy to access by other apps.
    edited September 7 stevenozcaladanianmuthuk_vanalingam
  • Reply 14 of 19
    roake said:
    Time to ramp up the tariffs.
    It's pretty amazing what China gets away. It's mind boggling how they haven't been kicked out of the WTO yet. 
    Agreed. I've been saying it for years how American 'short-timer, short-sighted' CEO's are willing to give their company's IP to the Chinese. Just shameful.

    edited September 7 watto_cobra
  • Reply 15 of 19
    Ooof! I may be over reacting, but I just removed all third party extensions from Safari and removed most third party apps from my 2017 MacBook, SE, iPad Mini, AppleWatch and AppleTV.

    I was all in on the Dr. Virus suite of free apps from the Apple App Store and was just about to buy the Pro versions for around $40. Now I've deleted all of them!

    When Mohave comes out...I will wipe/reset to factory settings my MacBook, iPhone, iPad Mini, AppleWatch and AppleTV and do a clean install. I'm going to change my Apple email address and iTunes account and only try to use Apple Apps from now on.

    I've already changed my search engine to DuckDuckGo. I don't use Google Maps or any Google or MS apps/services. My email client is AppleMail.

    I only use Safari as my web browser.

    No FaceBook, no Twitter, SnapChat, etc., etc.,

    When I get a new iPhone I will start over with my new Apple ID. I'm wiping my iPad Mini and selling it.

    Best.
    edited September 7 baconstangwatto_cobra
  • Reply 16 of 19
    Apple needs to clamp down more aggressively on stuff like this. And more openly, so that others get the message. 
    Why would you think it is going to stop them? They are actively trying to bypass Apple “walled garden”, Making them aware that Apple is cracking down, aint gonna help. This is not just some small guy in China hacking away US consumer! I bet it has everything to do with broad Chinese military effort in cyber-spying.
  • Reply 17 of 19
    roake said:
    Time to ramp up the tariffs.
    It's pretty amazing what China gets away. It's mind boggling how they haven't been kicked out of the WTO yet. 
    Agreed. I've been saying it for years how American 'short-timer, short-sighted' CEO's are willing to give their company's IP to the Chinese. Just shameful.

    The sooner China gets kicked out of the WTO the better for the rest of the world. Deceiving apps like these are the tip of the iceberg. China is currently engaging in the largest ever theft of intellectual property from the US and other countries. The Chinese govt steals, passes the IP to their own national manufacturers and soon they show up selling us our own technology back to us, at half the price. The original US owners of the IP go bankrupt. How is that not a high crime?
    christopher126
  • Reply 18 of 19
    ivanhivanh Posts: 193member
    Keep all “Made in China” apps in China App Store only.
    christopher126
  • Reply 19 of 19
    ivanh said:
    Keep all “Made in China” apps in China App Store only.
    Brilliant! I've often thought, Amazon should be required to have a 'Made in China' section so I could avoid it.

    I'm not a protectionist, but buying things from China/Walmart is like eating your leg for dinner.

    There's no future in it. :)

Sign In or Register to comment.