More malicious apps found in Mac App Store that are stealing user data
A number of apps in the Mac App Store have been found to be stealing data from its users, acquiring sensitive information and sending it to the developer, including one app which was the top paid utility available in the store before its removal.
An image of Adware Doctor's marketing
Security researchers have independently found apps "exfiltrating" data to servers without the user's knowledge, all of which were available to download from Apple's Mac App Store. Each of the apps managed to get past Apple's submission process for the store and were available to download alongside other legitimate apps.
MalwareBytes reports that, in some cases, the data is dispatched to servers in China, a country that doesn't require the same stringent storage requirements as the United States or European countries for personal data. In cases like these, it is highly likely the data is being used for malicious purposes.
The biggest app of the list is Adware Doctor, which topped the chart for paid utilities in the Mac App Store, before being removed after the reports about it first emerged on Friday. The app claims to remove adware threats from a Mac, including extensions and cookies in browsers, but Patrick Wardle advises the "cleaning" process involves collecting the browsing history of the user, as well as a list of all running processes, and a list of software downloaded to the Mac.
While Apple has processes in place to prevent apps from accessing data it did not have permission to view, the app uses a loophole to work around the restrictions.
The app is also a clone of Adware Medic, which surfaced in 2015 as a copy of an app of the same name, originally created by the developer of MalwareBytes for Mac. At the time, the app was removed after Apple was informed, but returned with a new name, with MalwareBytes repeatedly fighting to take down clones of the app from the same company that keep appearing in the store.
Shortly after news of the app's malware nature circulated around other security researchers, the chinese server went offline, preventing other data from being sent off, but not halting the local collection of data for future dispatches. Wardle also advised to Apple about the app in early August, but the app has only just been removed from the Mac App Store, one month later.
A second app, Open Any Files, takes over a system's ability to handle documents that are not associated with an existing app, using the opportunity to advertise other apps that supposedly could open files. Aside from the extra affiliate-based behavior, the app was also found to have similar characteristics to Adware Doctor, in acquiring the browsing and search history of Safari, Chrome, and Firefox, as well as the App Store.
While the app was reported to Apple in December 2017, it is still available to download from the Mac App Store.
Dr. Antivirus, discovered through Open Any Files, performs similar data collection but with limitations, restricted by macOS. The same data was collected and exfiltrated, but with the addition of a file detailing metadata of every application installed on the Mac.
The same developer created Dr. Cleaner, which again collected data from the user's Mac and sent it to a specific address.
The discoveries of the malware calls into question the safety of apps available from the Mac App Store, and Apple's ability to make sure they are safe before making them available to purchase or download. According to Malwarebytes, the company has reported such instances of malware to Apple for "years," with barely any immediate actions undertaken to remove the offending apps.
There is also the issue of developers found to be distributing malware failing to be blocked from the Mac App Store, as the creators are sometimes able to bring the exact same apps back to the store in a short space of time.
MalwareBytes encourages users to "treat the App Store just like you would any other download location: as potentially dangerous." While free apps may seem harmless, "if you have to give that app access to any of your data as part of its expected functionality, you can't know how it will use that data."
"Worse, even if you don't give it access, it may find a loophole and get access to sensitive data anyway," the firm adds.
Apple has a dedicated webpage for reporting problems, including malware that slips into the Mac App Store, which users can use to alert to such issues.
An image of Adware Doctor's marketing
Security researchers have independently found apps "exfiltrating" data to servers without the user's knowledge, all of which were available to download from Apple's Mac App Store. Each of the apps managed to get past Apple's submission process for the store and were available to download alongside other legitimate apps.
MalwareBytes reports that, in some cases, the data is dispatched to servers in China, a country that doesn't require the same stringent storage requirements as the United States or European countries for personal data. In cases like these, it is highly likely the data is being used for malicious purposes.
The biggest app of the list is Adware Doctor, which topped the chart for paid utilities in the Mac App Store, before being removed after the reports about it first emerged on Friday. The app claims to remove adware threats from a Mac, including extensions and cookies in browsers, but Patrick Wardle advises the "cleaning" process involves collecting the browsing history of the user, as well as a list of all running processes, and a list of software downloaded to the Mac.
While Apple has processes in place to prevent apps from accessing data it did not have permission to view, the app uses a loophole to work around the restrictions.
The app is also a clone of Adware Medic, which surfaced in 2015 as a copy of an app of the same name, originally created by the developer of MalwareBytes for Mac. At the time, the app was removed after Apple was informed, but returned with a new name, with MalwareBytes repeatedly fighting to take down clones of the app from the same company that keep appearing in the store.
Shortly after news of the app's malware nature circulated around other security researchers, the chinese server went offline, preventing other data from being sent off, but not halting the local collection of data for future dispatches. Wardle also advised to Apple about the app in early August, but the app has only just been removed from the Mac App Store, one month later.
A second app, Open Any Files, takes over a system's ability to handle documents that are not associated with an existing app, using the opportunity to advertise other apps that supposedly could open files. Aside from the extra affiliate-based behavior, the app was also found to have similar characteristics to Adware Doctor, in acquiring the browsing and search history of Safari, Chrome, and Firefox, as well as the App Store.
While the app was reported to Apple in December 2017, it is still available to download from the Mac App Store.
Dr. Antivirus, discovered through Open Any Files, performs similar data collection but with limitations, restricted by macOS. The same data was collected and exfiltrated, but with the addition of a file detailing metadata of every application installed on the Mac.
The same developer created Dr. Cleaner, which again collected data from the user's Mac and sent it to a specific address.
The discoveries of the malware calls into question the safety of apps available from the Mac App Store, and Apple's ability to make sure they are safe before making them available to purchase or download. According to Malwarebytes, the company has reported such instances of malware to Apple for "years," with barely any immediate actions undertaken to remove the offending apps.
There is also the issue of developers found to be distributing malware failing to be blocked from the Mac App Store, as the creators are sometimes able to bring the exact same apps back to the store in a short space of time.
MalwareBytes encourages users to "treat the App Store just like you would any other download location: as potentially dangerous." While free apps may seem harmless, "if you have to give that app access to any of your data as part of its expected functionality, you can't know how it will use that data."
"Worse, even if you don't give it access, it may find a loophole and get access to sensitive data anyway," the firm adds.
Apple has a dedicated webpage for reporting problems, including malware that slips into the Mac App Store, which users can use to alert to such issues.
Comments
FAIL.
-Adware Medic
-Open Any Files
-Dr. Cleaner (I had downloaded this one, dammit!)
But you seem to know know so could you tell us by "how much"?
At least these are mostly late Friday stories so most folks won't even hear about 'em.
Apple needs a reliable revenue stream, it transforms itself into the equivalent of a utility company. That’s why it’s key to keep iOS, watchOS, tvOS closed, and slowly choke off the open nature of macOS.
It is to keep Apple safe from “cheap” users, not to keep users safe from third parties, which would require effective ability of a system’s owner to inspect and control the system, an ability of which we’re piecemeal deprived of.
If you're concerned about adware, stop downloading any and every free thing you run across (especially those from China), and if you're really not savvy enough to spot the traps, install MalwareBytes for Mac -- it's free (for manual checking, paid for always-on checking).
My thanks to AI and other Mac sites for shining a light on this problem, but I would expect part of the recent story about all apps needed a stated privacy policy soon is part of Apple's response to this (hopefully the publicity from stories like this will encourage further tightening of checks and submission procedures).
😁
The report on this is out. These Apps aren't exactly malware, as they didn't infect the users devices or find an exploit in iOS. They are simply Apps that, after you have given them permission to access things like location, are tracking it and sending it off to 3rd party monetization firms. Turning off location services stops this from happening.
Still not good that Apps are able to do this, but I don't know how it can be prevented once you give an App access to location.
Not so much difference if you're blind. Android is an order of magnitude (at least) worse than Apple in this regard.