Friday, September 7, 2018

A Deceitful “Doctor” in the Mac App Store

Nicole Nguyen (Hacker News, MacRumors, 9to5Mac, Wired, Techmeme):

Apple has removed a top Mac app called Adware Doctor, designed to “prevent malware and malicious files from infecting your Mac,” which, according to security researchers Patrick Wardle and Privacy 1st, was collecting users’ browsing history without their consent, violating Apple’s policies.

[…]

Adware Doctor, which costs $5, was the top paid app in the “Utilities” category, and the fifth top paid app overall, before it was removed Friday. The app appears to violate the App Store’s “Data Collection and Storage” guidelines, which prohibit developers from “surreptitiously discovering private data” or collecting data without consent. It is unclear whether customers who purchased the app will receive a refund.

Patrick Wardle (tweet):

Finally, the stellar reviews are bestowed upon Adware Doctor (and other applications by the same developer), are likely fake, as the application is specifically discussed in the insightful post, “Mac AppStore apps with fake reviews”.

[…]

By editing the system’s /etc/hosts file we can redirect this request to a server we control can capture what Adware Doctor is trying to upload. And what do you think that might be? If you guessed the history.zip file you would be correct!

[…]

When Adware Doctor is executed for the first time, it requests access to the user’s home directory (~) and all files and directories underneath it as well[…]

[…]

Apple also claims that “if there’s ever a problem with an app, Apple can quickly remove it from the store”. Maybe the key word here is “can”.

A full month ago, we reported our findings to Apple, which they acknowledged, and promised to investigate[…]…since then, crickets!

I’m not sure Wardle is correct that sandboxed apps are not supposed to be able to enumerate the running processes.

Update (2018-09-07): Thomas Reed (tweet):

There is a concerning trend lately in the Mac App Store. Several security researchers have independently found different apps that are collecting sensitive user data and uploading it to servers controlled by the developer. (This is referred to as exfiltrating the data.) Some of this data is actually being sent to Chinese servers, which may not be subject to the same stringent requirements around storage and protection of personally identifiable information like organizations based in the US or EU.

Jeff Johnson confirms that [[NSWorkspace sharedWorkspace] runningApplications] works in the sandbox.

Patrick Wardle:

Stoked that Apple has:

  • now removed the app (& dev’s others apps)
  • is adding extra sandboxing protection on “privacy-sensitive content like Safari history” in Mojave

Update (2018-09-08): John Gruber (tweet):

We can’t expect the app review process to flag every bad actor, but I do think we should expect Apple to take action when a bad actor is found.

Third, why wasn’t this developer “Yongming Zhang” flagged years ago? Adware Doctor started out named “Adware Medic”, the same name as a legitimate successful app from Malwarebytes[…]

[…]

Even if Apple isn’t willing to commit the human resources to tackle review fraud across the entire App Store — a Sisyphean task at this point, to be sure — they surely ought to tackle it for popular apps, and Adware Doctor was very popular. This app’s success, sketchy description, and the developer’s history of bad behavior should have set off alarm bells inside Apple.

[…]

Lastly, what’s going on with all the copies of the app that have already been bought and installed? Do existing copies still run? Isn’t this exactly the sort of scenario where Apple should use the kill switch to remotely disable installed copies of the app?

Privacy 1st:

What is sad is that it was reported by me on 12th of August and Apple didn’t even care... Attached are email screenshots

Malcolm Owen:

A second app, Open Any Files, takes over a system’s ability to handle documents that are not associated with an existing app, using the opportunity to advertise other apps that supposedly could open files. Aside from the extra affiliate-based behavior, the app was also found to have similar characteristics to Adware Doctor, in acquiring the browsing and search history of Safari, Chrome, and Firefox, as well as the App Store.

While the app was reported to Apple in December 2017, it is still available to download from the Mac App Store.

Howard Oakley:

For the first time since its introduction, Apple has left XProtect without any updates for over five months; that’s more than 150 days. The last XProtect update was version 2099 pushed on 13 March 2018, when many of us were struggling through snow and ice instead of the current heat and drought.

Stephen Silver (Hacker News, TechCrunch, MacRumors):

According to a new report from GuardianApp, “a growing number of iOS apps have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms. In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information.”

Howard Oakley:

Having written quite a lot recently about Mojave’s new privacy protection, I have tended to gloss over the differences between privacy and security, why we need effective controls over both, and how those controls are so different. This article tries to explain using hypothetical examples as illustrations.

Update (2018-09-11): Howard Oakley (tweet):

I am stunned that Apple, a company which rightly refuses to sell cheap adaptor cables in its stores because it considers that we should only use high quality approved accessories, is continuing to sell (or give away, in some cases) four products which security researchers have demonstrated break Apple’s own rules, and grossly abuse the user’s privacy.

[…]

Can the App Store survive in its present form? Haven’t users finally lost faith in its bland assurance that its apps are screened and checked by Apple, and are ‘safe’ for us to use? When Apple has ignored the evidence of well-known security experts and failed to take action over these apps, how many others in the store might prove similarly malicious?

[…]

As of 0730 10 September 2018, Apple has finally removed the apps named above from its UK App Store, and apparently from its other App Stores too. However, there are still a lot of apps which need to be more thoroughly investigated as to their efficacy and legitimacy: search on adware for example to see a lot which make bold claims that would appear to be impossible under App Store rules.

Tom Reeve:

Dr Cleaner was reportedly removed from the Apple App Store on Friday and Dr Antivirus, also owned by Trend, was reportedly removed this morning.

Privacy 1st:

Update: Apple removed most of the TrendMicro apps including the fake developer account they had to promote the Open Any Files, which was reported as malware by @thomasareed from @Malwarebytes . Kudos to @Apple for fast action.

Thomas Reed:

Be suspicious of every single antivirus on the App Store. Even the legit ones are junk because of the limitations that will prevent them from detecting all threats.

Trend Micro:

Reports that Trend Micro is “stealing user data” and sending them to an unidentified server in China are absolutely false.

Trend Micro has completed an initial investigation of a privacy concern related to some of its MacOS consumer products. The results confirm that Dr Cleaner, Dr Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation. This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service). The data collected was explicitly identified to the customer in the data collection policy and is highlighted to the user during the install. The browser history data was uploaded to a U.S.-based server hosted by AWS and managed/controlled by Trend Micro.

Thomas Reed:

It’s hard to verify after the apps were removed, but I explicitly looked for in-app data collection notification and did not find any.

Howard Oakley:

Unlike another app which stole private data, Adware Doctor, which has also been taken down from the App Store, these three aren’t from a near-anonymous developer, but a multi-national corporation specialising in ‘cybersecurity’.

Trend Micro Inc. is a public-quoted corporation (KK) headquartered in Tokyo, founded nearly thirty years ago, with almost six thousand employees worldwide, and revenue (2017) of ¥148.8 billion. Surely, this isn’t the sort of company to be involved in the secretive collection of private data including full browser histories?

Liam Tung (via Hacker News):

The company notes that it disclosed this data collection in its end-user license agreements and that browser history data was uploaded to a US server hosted by Amazon Web Services and managed by Trend Micro.

Trend Micro blamed the behavior on the use of common code libraries and has now removed the browser data collection feature and deleted logs store on the AWS servers.

Update (2018-09-14): Graham Cluley:

In short, Trend Micro says that the code was designed to help the software determine if users had recently encountered online threats - and yet the code was also incorporated into products which were not security-related.

Dr Battery, for instance, is an app that purports to offer real-time monitoring of your Mac’s battery and determine which apps are draining resources the most. Why on earth would that need to take a gander at your browsing history?

[…]

Shared code libraries that aren’t actually required by a program to perform its function increase the threat surface, introduce security and privacy vulnerabilities that could impact your customers, and - potentially - give more opportunities for hackers to strike.

Adam Engst:

What could possibly be the excuse for a company that advertises itself as “a global leader in cybersecurity solutions” to engage in such behavior, which is not just a serious ethical lapse, but a clear violation of Apple’s App Store policies? And if Apple is going to claim that the App Store approval process protects users, it clearly needs to do a better job.

3 Comments RSS · Twitter

Thomas Reed

Some of this data is actually being sent to Chinese servers, which may not be subject to the same stringent requirements around storage and protection of personally identifiable information like organizations based in the US or EU.

Isn't the problem that most user data in the USA is kind of up for grabs too? Why else would Apple have to start demanding developers have defined privacy policies in the app store?
https://www.macrumors.com/2018/08/31/all-app-store-apps-to-require-privacy-policy/

John Gruber

Even if Apple isn’t willing to commit the human resources to tackle review fraud across the entire App Store — a Sisyphean task at this point, to be sure — they surely ought to tackle it for popular apps, and Adware Doctor was very popular.

The Mac App Store in no way constitutes a Sisyphean task. It's such an afterthought on the market. However, the iOS app store is a lost cause for human resources and app review. It's never really worked in fact.

Man, my blockquote on Thomas Reed failed. Sorry about that.

In other thoughts. I am concerned it takes Apple so long to verify a formally noted case of malware/adware/fraud. Also, if Howard Oakley is correct that XProtect has not been updated in five months, does that not seem strange? There has been no malware in the wild from the last five months? Nothing at all to add to XProtect's database?

Weird.

The iOS apps "secretly" transmit data regarding location "revelation" was hardly the shocker. Disappointing for sure, but everything about people is monetized. I've been less than thrilled with credit bureaus for years and things have become so topsy turvy that people actively play the credit score game. Never mind the number of times they've sold (yes, credit scores aren't for us, they are for their customers, aka lenders, nosy employers, etc.) and even lost our data via hacks. Whatever, we are all products. It's a top to bottom problem.

I don't know how to fix it, but it's funny every time the same shocking revelation is revealed. See Google location tracking as well. Or pretty much everything Facebook does with their platform.

Leave a Comment