Top Mac App Store utility 'Adware Doctor' is stealing user information [u]
Security researcher Patrick Wardle says one of the most popular apps on the Mac App Store "surreptitiously exfiltrates highly sensitive user information" and is likely exporting it to China.
On his website Objective-See.com, in collaboration with a Twitter account, called @privacyis1st, which was first to spot the issue, Wardle lays out the case that Adware Doctor is stealing users' browser histories.
Wardle also says that he and @privacyis1st told Apple about the issue a month ago, but that the $4.99 Adware Doctor app -- from a mysterious developer named "Yongming Zhang" -- was available in the Mac App Store early Friday. The app has since disappeared from the storefront.
Wardle first accused the app of having abused AppleScript in 2016, and of leaving fake reviews. But then he and the @privacyis1st account demonstrate, through static and dynamic analysis, that Adware Doctor is taking its users' browser history and exfiltrating it.
The conclusion is that Apple, which touts safety and high standards when it comes to the apps it allows in its stores, has allowed a bad actor with a high spot in its rankings to manipulate the system and steal user data. And, despite Wardle having told Apple over a month ago, the company has done nothing about it.
"First, there is rather a MASSIVE privacy issue here. Let's face it, your browsing history provides a glimpse into almost every aspect of your life. And people have even been convicted of murder based largely on their internet searches," Wardle writes. "The fact that application has been surreptitiously exfiltrating users' browsing history, possibly for years, is, to put it mildly, rather f#@&'d up!"
He concludes by asking Apple again to take down the app and refund users.
Patrick Wardle, who formerly worked for the National Security Agency, is the founder and chief research officer of Digita Security. While he has a long body of Apple-related security work going back several years, recently he demonstrated the WINDSHIFT APT exploit in macOS, and he also discovered a separate "synthetic click" problem, also in macOS.
Updated to reflect Adware Doctor's removal from the Mac App Store.
On his website Objective-See.com, in collaboration with a Twitter account, called @privacyis1st, which was first to spot the issue, Wardle lays out the case that Adware Doctor is stealing users' browser histories.
Wardle also says that he and @privacyis1st told Apple about the issue a month ago, but that the $4.99 Adware Doctor app -- from a mysterious developer named "Yongming Zhang" -- was available in the Mac App Store early Friday. The app has since disappeared from the storefront.
Wardle first accused the app of having abused AppleScript in 2016, and of leaving fake reviews. But then he and the @privacyis1st account demonstrate, through static and dynamic analysis, that Adware Doctor is taking its users' browser history and exfiltrating it.
The conclusion is that Apple, which touts safety and high standards when it comes to the apps it allows in its stores, has allowed a bad actor with a high spot in its rankings to manipulate the system and steal user data. And, despite Wardle having told Apple over a month ago, the company has done nothing about it.
"First, there is rather a MASSIVE privacy issue here. Let's face it, your browsing history provides a glimpse into almost every aspect of your life. And people have even been convicted of murder based largely on their internet searches," Wardle writes. "The fact that application has been surreptitiously exfiltrating users' browsing history, possibly for years, is, to put it mildly, rather f#@&'d up!"
He concludes by asking Apple again to take down the app and refund users.
Patrick Wardle, who formerly worked for the National Security Agency, is the founder and chief research officer of Digita Security. While he has a long body of Apple-related security work going back several years, recently he demonstrated the WINDSHIFT APT exploit in macOS, and he also discovered a separate "synthetic click" problem, also in macOS.
Updated to reflect Adware Doctor's removal from the Mac App Store.
Comments
I haven't been able to find the developer's website. The very first thing that comes up when searching the developer's name is that "Yongming Zhang" was a serial killer in China (he fed the flesh of his victims to innocent people):
https://en.wikipedia.org/wiki/Zhang_Yongming
Also, this developer is already known for being --at the very least-- deceiving. He's been caught making 5 start self-reviews repeatedly, like how this AI forum member reported here:
https://forums.appleinsider.com/discussion/192947/mac-appstore-apps-with-fake-reviews
This guy is probably an agent of the Chinese government syphoning browsing history data back to their intelligence unit so they can identify high-value American individuals (corporate or government) for hacking and espionage. Or equally worse, identifying computers with weak security for bank account thefts. Apple has to start cracking down HARD on data thieves (especially when it comes to national security issues). A great example to follow is what Valve does in Steam. If Valve finds developers making self-reviews, or posting fake reviews on Steam on of their games, they ban the developer ENTIRELY, along with ALL their games.
https://arstechnica.com/gaming/2018/02/valve-bans-developer-after-employees-leave-fake-user-reviews/
And mind you, this is just for making fake reviews. Yongming Zhang is guilty of the far more serious crime of stealing user data and sending it to China. This developer has to get his account banned permanently from all Apple platforms, Google and Microsoft should also be notified to take action, and be reported to the authorities. This is no joke.
I believe iGallery for Instagram, Komros Adware Remover, 1Doc: Word Processor for Writer, and Flixmate (a Netflix streamer for Mac) may also be coming from this same developer under other aliases. All are highly rated, tho how they accomplished that is questionable.
EDIT: AdBlock Master is yet another. Serious stuff....
Found this link that solidly associates those other names and apps with the likely-fake "Yongming Zhang" and Adware Doctor, confirming my earlier suspicions.
https://www.storefollow.com/dev/id1040450370
Apple happily trots out data at Events as to how many apps are in the Store, and at WWDC, how many credit cards are on file with Apple.
We are offered up as fodder for Devs, cash cows. With 2M+ apps, maybe Apple could slow down the admission process somewhere, somehow, and ramp up vetting and the investigation of claims against an app or Dev.
We'll probably never have enough transparency to see how Apple is investigating complaints and their response, but I'm ok with that as long as they are investigating and taking appropriate action.
But add InstaMaster to the list if it's still available. This looks worse and worse the more you dig. Fortunately most apps seem to be relatively new (not this one) and have limited downloads so far so the damage can still be controlled.
As Mac is sand-boxed you'd assume that what this app could harvest from other apps and especially running services would be blocked and/or severely limited. Reportedly it was not. How did it bypass those restrictions??
As explained by the researcher: "It’s (likely) just a copy and paste of Apple’s GetBSDProcessList code (found in Technical Q&A QA1123 “Getting List of All Processes on Mac OS X”). Apparently this is how one can get a process listing from within the application sandbox! I’m guessing this method is unsanctioned (as it clearly goes against the design goals of sandbox isolation). And yes, rather amusing the code Adware Doctor uses to skirt the sandbox, is directly from Apple!"
Edit: Just takes a little publicity to get Apple's attention.
They've now stated the upcoming Mojave sandboxing will prevent so much user exposure, and Safari browsing history will no longer be as easy to access by other apps.
I was all in on the Dr. Virus suite of free apps from the Apple App Store and was just about to buy the Pro versions for around $40. Now I've deleted all of them!
When Mohave comes out...I will wipe/reset to factory settings my MacBook, iPhone, iPad Mini, AppleWatch and AppleTV and do a clean install. I'm going to change my Apple email address and iTunes account and only try to use Apple Apps from now on.
I've already changed my search engine to DuckDuckGo. I don't use Google Maps or any Google or MS apps/services. My email client is AppleMail.
I only use Safari as my web browser.
No FaceBook, no Twitter, SnapChat, etc., etc.,
When I get a new iPhone I will start over with my new Apple ID. I'm wiping my iPad Mini and selling it.
Best.
I'm not a protectionist, but buying things from China/Walmart is like eating your leg for dinner.
There's no future in it.