Apple never forgets to brag that the Mac App Store is the “safest place” to download apps for your Mac. No doubt about that. But one of the most popular apps in the Mac App Store has been stealing users’ browsing history and sending it to China from under Apple’s nose for years! In fact, the Adware Doctor is the #1 top-grossing app in the “Paid Utilities” category. Mac users pay $4.99 to buy the app that does a damn good job at stealing their browsing history.
You should stop using Adware Doctor right now
The app says on its Mac App Store page that it is designed to “keep your Mac safe” and remove the “annoying pop-up ads.” It is not only the #1 app in the ‘paid utilities’ category, but also among the overall top five most popular paid apps in the US, along with apps like Final Cut Pro and Notability. Developed by Yongming Zhang, the Adware Doctor has more than 7,000 positive ratings. Little do those users know that it has bypassed Apple’s restrictions to collect their sensitive data.
Security researcher Patrick Wardle teamed up with Twitter account Privacy 1st to expose the app. On the website Objective See, Wardle says he’s discovered that the app was “surreptitiously stealing” data from users who have downloaded it. Surprisingly, the app is still live on the Mac App Store at the time of this writing. We have reached out to Apple for comments, and will update the post if and when they respond.
Top Sold MacOS AppStore application is ROGUE. Adware Doctor is stealing your privacy. PoC: https://t.co/LmveX593q0#malware #virus #MacOS #Apple #MacBook #MacBookPro #CyberSecurity #privacy #GDPR #Hacking #hackers #cyberpunk #Alert
— Privacy 1st (@privacyis1st) August 20, 2018
Last month, Privacy 1st posted a video showing how the Adware Doctor was stealing users’ data and sending it to servers in China. Wardle collaborated with Privacy 1st to dig deeper into the issue, and shared his findings in a blog post. It’s not the first time Wardle has red-flagged the app. Back in 2016, he had accused it of leaving fake reviews and having abused AppleScript.
According to TechCrunch, the app “jumped through hoops” to bypass Mac’s sandboxing features that prevent apps from collecting user data on the hard drive, and upload the browsing history on different browsers including Safari, Chrome, and Firefox. Adware Doctor could request access to a user’s home directory and its files. Apple allows apps that market themselves as anti-adware and anti-malware to gain access to the home directory files.
The Adware Doctor was supposed to clean adware but it was collecting and exfiltrating “any user file.” After collecting all the data, the app zipped it into an archive file and sent it to servers in China. The app doesn’t ask for the user’s permission to exfiltrate their browsing history at any point. It is clearly “deceiving the user,” said Wardle.
Wardle added that it’s a “MASSIVE” privacy issue. A person’s browsing history offers a deep dive into almost every aspect of their life. In the past, people have “even been convicted of murder based largely on their internet searches.” The fact that Adware Doctor has been stealing users’ data for years is “rather f#@&’d up!”
Apple hasn’t removed the app from the Mac App Store
Wardle is hoping that the increased media attention will force Apple to take down the app, especially considering it violates many App Store guidelines and rules. The security researcher had informed Apple about the app several weeks ago, and urged to pull the app from the Mac App Store and refund all the affected users. Apple hasn’t yet removed the app, though it had promised to investigate.
The Cupertino company has done nothing since last month to punish a bad actor with nefarious motives, especially when the bad actor is one of the most popular apps. Wardle has urged Apple once again to pull the app and refund users. Even if Apple chooses to refund users, people are never going to get their private browsing history. The tech giant takes a 30% cut from revenues generated by apps.
Patrick Wardle has previously worked at the National Security Agency, and he currently runs his own firm Digita Security.