September 07, 2018Swati Khandelwal
A highly popular top-tier app in Apple’s Mac App Store that’s designed to protect its users from adware and malware threats has been, ironically, found surreptitiously stealing their browsing history without their consent, and sending it to a server in China.
What’s more concerning? Even after Apple was warned a month ago, the company did not take any action against the app.
The app in question is “Adware Doctor,” the Mac App Store No. 1 paid utility and also ranked as the fourth most popular paid app on the store, which sells for $4.99 and markets itself to be the “best app” to prevent “malware and malicious files from infecting your Mac.”
However, a security researcher with the @privacyis1st Twitter handle detected Adware Doctor’s suspicious spyware-like
behavior almost a month ago and also uploaded a proof-of-concept video
demonstration of how the user’s browser history is exfiltrated.
The researcher informed Apple about the Adware Doctor’s suspicious activity during that time, but the app, from a developer named “Yongming Zhang,” remained available in the Mac App Store.
Adware Doctor Sends Stolen User Data to Chinese Servers
The researcher then investigated Adware Doctor with ex-NSA staffer
Patrick Wardle, who deep dive into the app and today published a blog post,
saying that the app sidesteps Apple’s sandbox and covertly collects
users’ browser histories and then transfers it to a server in
China—which is blatant violations of Apple’s developer guidelines.
According to Wardle, Adware Doctor collects sensitive users’
data—primarily any website you’ve visited or searched for—from all the
popular web browsers including Chrome, Firefox, and Safari, and then
sends that data to Chinese server at http://yelabapp.com/ run by the
To do this, Adware Doctor bypasses Apple Mac App Store sandbox restrictions to be able to access, copy and upload user files from the Mac computer it is installed on.
“Now, an anti-malware or anti-adware tool is going to need legitimate access to user’s files and directories—for example, to scan them for malicious code,” Wardle explains.
“However, once the user has clicked Allow since Adware Doctor requested permission to the user’s home directory, it will have carte blanche access to all the user’s files. So yes will be able to detect and clean adware, but also collect and exfiltrate any user file, it so chooses!”
According to the technical process outlined in Wardle’s post, Adware
Doctor escapes Apple’s app sandbox and calls processes tied to popular
web browsers including Safari, Chrome and Firefox, and then compresses
history data into a ZIP archive, which is then uploaded to the server
via a call to the sendPostRequestWithSuffix method for exfiltration.
What’s more? Adware Doctor originally was named “Adware Medic,” which was clearly designed to mimic a different AdwareMedic app acquired and rebranded by MalwareBytes in 2015, Thomas Reed of MalwareBytes noted.
The app was removed from the store two years ago after MalwareBytes complained, and then it reappeared under Adware Doctor and becomes the Mac Store top paid utility—thanks to fake reviews.
Apple Ignored Researcher’s Report For 1 Month
Since the app has been violating numerous App Store Rules and Guidelines
by collecting users’ data without their consent and bypassing Apple’s
sandboxing protections, Wardle contacted Apple weeks ago about the
issue, but the company did nothing about it.
However, after Wardle’s blog post picked up by several media outlets, Apple finally removed Adware Doctor from the Mac App Store, along with the developer’s other app “AdBlock Master.”
Also, the Chinese server collecting the data from Adware Doctor users is currently offline, possibly because of the media attention the app has received.
Users who have already downloaded Adware Doctor are strongly advised to remove the app from their systems as soon as possible.