More malicious apps found in Mac App Store that are stealing user data

Posted:
in macOS
A number of apps in the Mac App Store have been found to be stealing data from its users, acquiring sensitive information and sending it to the developer, including one app which was the top paid utility available in the store before its removal.

An image of Adware Doctor's marketing
An image of Adware Doctor's marketing


Security researchers have independently found apps "exfiltrating" data to servers without the user's knowledge, all of which were available to download from Apple's Mac App Store. Each of the apps managed to get past Apple's submission process for the store and were available to download alongside other legitimate apps.

MalwareBytes reports that, in some cases, the data is dispatched to servers in China, a country that doesn't require the same stringent storage requirements as the United States or European countries for personal data. In cases like these, it is highly likely the data is being used for malicious purposes.

The biggest app of the list is Adware Doctor, which topped the chart for paid utilities in the Mac App Store, before being removed after the reports about it first emerged on Friday. The app claims to remove adware threats from a Mac, including extensions and cookies in browsers, but Patrick Wardle advises the "cleaning" process involves collecting the browsing history of the user, as well as a list of all running processes, and a list of software downloaded to the Mac.

While Apple has processes in place to prevent apps from accessing data it did not have permission to view, the app uses a loophole to work around the restrictions.

The app is also a clone of Adware Medic, which surfaced in 2015 as a copy of an app of the same name, originally created by the developer of MalwareBytes for Mac. At the time, the app was removed after Apple was informed, but returned with a new name, with MalwareBytes repeatedly fighting to take down clones of the app from the same company that keep appearing in the store.

Shortly after news of the app's malware nature circulated around other security researchers, the chinese server went offline, preventing other data from being sent off, but not halting the local collection of data for future dispatches. Wardle also advised to Apple about the app in early August, but the app has only just been removed from the Mac App Store, one month later.

A second app, Open Any Files, takes over a system's ability to handle documents that are not associated with an existing app, using the opportunity to advertise other apps that supposedly could open files. Aside from the extra affiliate-based behavior, the app was also found to have similar characteristics to Adware Doctor, in acquiring the browsing and search history of Safari, Chrome, and Firefox, as well as the App Store.

While the app was reported to Apple in December 2017, it is still available to download from the Mac App Store.

Dr. Antivirus, discovered through Open Any Files, performs similar data collection but with limitations, restricted by macOS. The same data was collected and exfiltrated, but with the addition of a file detailing metadata of every application installed on the Mac.

The same developer created Dr. Cleaner, which again collected data from the user's Mac and sent it to a specific address.

The discoveries of the malware calls into question the safety of apps available from the Mac App Store, and Apple's ability to make sure they are safe before making them available to purchase or download. According to Malwarebytes, the company has reported such instances of malware to Apple for "years," with barely any immediate actions undertaken to remove the offending apps.

There is also the issue of developers found to be distributing malware failing to be blocked from the Mac App Store, as the creators are sometimes able to bring the exact same apps back to the store in a short space of time.

MalwareBytes encourages users to "treat the App Store just like you would any other download location: as potentially dangerous." While free apps may seem harmless, "if you have to give that app access to any of your data as part of its expected functionality, you can't know how it will use that data."

"Worse, even if you don't give it access, it may find a loophole and get access to sensitive data anyway," the firm adds.

Apple has a dedicated webpage for reporting problems, including malware that slips into the Mac App Store, which users can use to alert to such issues.
«1

Comments

  • Reply 1 of 34
    Please could you clearly and simply list apps we have to avoid? Not burden it into text.
    macseekerminicoffeeStrangeDaysravnorodombaconstangwatto_cobraolschristopher126lostkiwi
  • Reply 2 of 34
    Shows how much Apple is really screening for these things.  *rolls eyes*

    FAIL.
    cgWerks
  • Reply 3 of 34
    frantisek said:
    Please could you clearly and simply list apps we have to avoid? Not burden it into text.
    -Adware Doctor
    -
    Adware Medic
    -
    Open Any Files
    -
    Dr. Cleaner (I had downloaded this one, dammit!)
    watto_cobraols
  • Reply 4 of 34
    Users should be educated or the system strengthened so as to not need those cleaning apps. Sad... Reminds me of the Windows 95 days.
    cornchip
  • Reply 5 of 34
    JWSCJWSC Posts: 142member
    These SOBs need to be roasted!  But the ones in China and elsewhere might be difficult to get to.
    magman1979watto_cobra
  • Reply 6 of 34
    SoliSoli Posts: 8,176member
    Shows how much Apple is really screening for these things.  *rolls eyes*

    FAIL.
    You say it show how much" but fail to see anything other than not well enough. I have no insights into "how much" their App Stores are vetted today compared to the past, other app stores, or from direct downloads. I also have no idea if these company has worked hard to find ways to circumvent their review process when submitting the app.

    But you seem to know know so could you tell us by "how much"?
    magman1979racerhomie3watto_cobraspringerj
  • Reply 7 of 34
    Users should be educated or the system strengthened so as to not need those cleaning apps. Sad... Reminds me of the Windows 95 days.
    Would be nice if Apple increased the functionality of the Disk Utility instead of users having to go to third parties to get features they'd rather have in native applications.
    edited September 7 maltzbaconstangwatto_cobracornchiplostkiwi
  • Reply 8 of 34
    gatorguygatorguy Posts: 19,041member
    Also now being reported are numerous popular iOS apps selling user data including location history. One of those days....


  • Reply 9 of 34
    gatorguy said:
    Also now being reported are numerous popular iOS apps selling user data including location history. One of those days....


    Good thing that never happens with Android.  ;)
    watto_cobracornchiplostkiwi
  • Reply 10 of 34
    gatorguygatorguy Posts: 19,041member
    gatorguy said:
    Also now being reported are numerous popular iOS apps selling user data including location history. One of those days....


    Good thing that never happens with Android.  ;)
    Yeah, maybe not so much difference between the two platforms as some of us have assumed. "Malware-infested Google Play AppStore" today. Maybe tomorrow we'll have the obligatory "Yeah but Google" story? :)

    At least these are mostly late Friday stories so most folks won't even hear about 'em. 
    edited September 7
  • Reply 11 of 34
    There's one really simple solution to this: Use Little Snitch on you mac. 
  • Reply 12 of 34
    rcfarcfa Posts: 703member
    The AppStore’s not about user safety, but about getting people into subscription agreements as companies face Moore’s Law hitting the brick wall and apps run out of useful features to add, that make for compelling upgrades.
    Apple needs a reliable revenue stream, it transforms itself into the equivalent of a utility company. That’s why it’s key to keep iOS, watchOS, tvOS closed, and slowly choke off the open nature of macOS.

    It is to keep Apple safe from “cheap” users, not to keep users safe from third parties, which would require effective ability of a system’s owner to inspect and control the system, an ability of which we’re piecemeal deprived of.
  • Reply 13 of 34
    chasmchasm Posts: 770member
    Users should be educated or the system strengthened so as to not need those cleaning apps. Sad... Reminds me of the Windows 95 days.
    You don't need them! You don't need a single one of these, or any "RAM optimizers," or any other such nonsense. All of these apps are predicated on the idea that either Apple "forgot" to put in system optimizers (for things like RAM, controlling fans, or reclaiming temp files) or that users will foolishly ignore warnings about what an app needs to access (the latter, sadly, appears to be more correct than I would have thought).

    If you're concerned about adware, stop downloading any and every free thing you run across (especially those from China), and if you're really not savvy enough to spot the traps, install MalwareBytes for Mac -- it's free (for manual checking, paid for always-on checking).

    My thanks to AI and other Mac sites for shining a light on this problem, but I would expect part of the recent story about all apps needed a stated privacy policy soon is part of Apple's response to this (hopefully the publicity from stories like this will encourage further tightening of checks and submission procedures).
    baconstangwatto_cobra
  • Reply 14 of 34
    gatorguy said:
    gatorguy said:
    Also now being reported are numerous popular iOS apps selling user data including location history. One of those days....


    Good thing that never happens with Android.  ;)
    Yeah, maybe not so much difference between the two platforms as some of us have assumed. "Malware-infested Google Play AppStore" today. Maybe tomorrow we'll have the obligatory "Yeah but Google" story? :)

    At least these are mostly late Friday stories so most folks won't even hear about 'em. 
    Somehow, I have a little idea that 30/2mil iOS apps is maybe less of a problem than the malware infested google play store. 😁
    magman1979baconstangwatto_cobralostkiwi
  • Reply 15 of 34
    gatorguygatorguy Posts: 19,041member
    gatorguy said:
    gatorguy said:
    Also now being reported are numerous popular iOS apps selling user data including location history. One of those days....


    Good thing that never happens with Android.  ;)
    Yeah, maybe not so much difference between the two platforms as some of us have assumed. "Malware-infested Google Play AppStore" today. Maybe tomorrow we'll have the obligatory "Yeah but Google" story? :)

    At least these are mostly late Friday stories so most folks won't even hear about 'em. 
    Somehow, I have a little idea that 30/2mil iOS apps is maybe less of a problem than the malware infested google play store. 
    Nothing wrong with having little ideas.
    😁
    edited September 7
  • Reply 16 of 34
    isidore said:
    There's one really simple solution to this: Use Little Snitch on you mac. 
    Until the software ends up using a conventional upload method when you are not watching creates an email with which it uploads the data only then to erase the evidence and Little Snitch will be none the wiser.
  • Reply 17 of 34
    Users should be educated or the system strengthened so as to not need those cleaning apps. Sad... Reminds me of the Windows 95 days.
    Would be nice if Apple increased the functionality of the Disk Utility instead of users having to go to third parties to get features they'd rather have in native applications.
    Good point.
  • Reply 18 of 34
    gatorguy said:
    gatorguy said:
    Also now being reported are numerous popular iOS apps selling user data including location history. One of those days....


    Good thing that never happens with Android.  ;)
    Yeah, maybe not so much difference between the two platforms as some of us have assumed. "Malware-infested Google Play AppStore" today. Maybe tomorrow we'll have the obligatory "Yeah but Google" story? :)

    At least these are mostly late Friday stories so most folks won't even hear about 'em. 
    Somehow, I have a little idea that 30/2mil iOS apps is maybe less of a problem than the malware infested google play store. 😁

    The report on this is out. These Apps aren't exactly malware, as they didn't infect the users devices or find an exploit in iOS. They are simply Apps that, after you have given them permission to access things like location, are tracking it and sending it off to 3rd party monetization firms. Turning off location services stops this from happening.

    Still not good that Apps are able to do this, but I don't know how it can be prevented once you give an App access to location.
    watto_cobra
  • Reply 19 of 34
    gatorguy said:
    gatorguy said:
    Also now being reported are numerous popular iOS apps selling user data including location history. One of those days....


    Good thing that never happens with Android.  ;)
    Yeah, maybe not so much difference between the two platforms as some of us have assumed. "Malware-infested Google Play AppStore" today. Maybe tomorrow we'll have the obligatory "Yeah but Google" story? :)

    At least these are mostly late Friday stories so most folks won't even hear about 'em. 

    Not so much difference if you're blind. Android is an order of magnitude (at least) worse than Apple in this regard.
    baconstangracerhomie3watto_cobralostkiwi
  • Reply 20 of 34
    gatorguygatorguy Posts: 19,041member
    gatorguy said:
    gatorguy said:
    Also now being reported are numerous popular iOS apps selling user data including location history. One of those days....


    Good thing that never happens with Android.  ;)
    Yeah, maybe not so much difference between the two platforms as some of us have assumed. "Malware-infested Google Play AppStore" today. Maybe tomorrow we'll have the obligatory "Yeah but Google" story? :)

    At least these are mostly late Friday stories so most folks won't even hear about 'em. 
    Somehow, I have a little idea that 30/2mil iOS apps is maybe less of a problem than the malware infested google play store. ߘ᦬t;/div>

    The report on this is out. These Apps aren't exactly malware, as they didn't infect the users devices or find an exploit in iOS. They are simply Apps that, after you have given them permission to access things like location, are tracking it and sending it off to 3rd party monetization firms. Turning off location services stops this from happening.

    Still not good that Apps are able to do this, but I don't know how it can be prevented once you give an App access to location.
    Wrong story Eric. You probably meant to post this in the thread about the iOS apps which are monetizing user data. A little confusing today I agree. There's at least three or four current stories about various security issues with iOS and/or Mac apps.
    edited September 7
Sign In or Register to comment.