Popular MAC App Acts Like Spyware... Stole browsing history -- sent to China!


ONE OF MOST POPULAR MAC APPS ACTS LIKE SPYWARE

By ILY HAY NEWMAN 09.07.18 08:00 AM

APPLE PRIDES ITSELF on prioritizing user security and privacy. It counts the iOS and Mac App Stores, where customers can download an array of trusted, vetted software, as cornerstones of that initiative. But while the approach does minimize situations where users get tricked into downloading something nasty on the open web, malware inevitably slips through. In this case, that appears to include one of the most popular offerings in the Mac App Store.

Security-scanning app Adware Doctor currently sits fourth on the Mac App Store's list of top paid apps. But after a researcher who goes by Privacy 1st released a proof-of-concept video detailing suspicious behavior in the app, Mac security researchers Patrick Wardle of Digita Security and Thomas Reed of Malwarebytes independently investigated it as well.

The researchers found that Adware Doctor collects data about its users, particularly browsing history and a list of other software and processes running on a machine, stores that data in a locked file, and periodically sends it out to a server that appears to be located in China. (For what it's worth, they say it's also not a very good adware scanner.) All of these actions seem to violate the App Store's developer guidelines, but while Privacy 1st notified Apple about the concerns weeks ago, the app remains.

(Update: A few hours after this story was published—and several weeks after security researchers first contacted it—Apple removed Adware Doctor from the Mac App Store.1)

LILY HAY NEWMAN

"Unfortunately the App Store is really not the safe haven that Apple would like people to think it is," Reed says. "We detect and track a number of different suspicious apps in the App Store. Some of those have been removed quickly, and others have taken as much as six months to get removed. It’s not outright malware, but this junk software that’s stealing your data is pretty bad." Apple and Adware Doctor did not return multiple requests from WIRED for comment.

When a user downloads Adware Doctor, it requests permission to access the macOS "Home" folder. Because it's a top app from the Mac App store, people likely grant that permission, assuming trustworthiness. But Wardle found that once the app has this permission, it quickly starts trying to collect user data in a way that violates both their privacy and Apple's rules.

Mac apps are siloed from each other, and from the operating system, in containers called "sandboxes," which keep programs from being able to access more than they need to function. But Adware Doctor uses the permissions users grant it to collect data, and then finds ways to get around some sandbox protections. Particularly, Wardle says the program tries different tactics to get information about the other software running on a user's computer.

'This app is horrible, it just blatantly violates so many Apple App Store guidelines.'

PATRICK WARDLE, DIGITA SECURITY

Some programs, like trustworthy antivirus scanners, use this capability safely and legitimately, but App Store apps aren't supposed to be able to access it from inside their sandboxes. And while macOS already has built-in defenses to defeat some of Adware Doctor's attempts, the app can ultimately gather a list of running programs and processes through a system application programming interface. To make matters worse, Wardle says the code Adware Doctor uses to build its list of running processes—which an attacker could use to gain information about a target's activities and network—is taken from examples Apple publishes as part of its documentation materials.

"This app is horrible, it just blatantly violates so many Apple App Store guidelines," Wardle says. "And the reviews are just glowing, which is usually a sign that they're fake. Apple exudes this hubris that 'hey, we have this all figured out, you can trust us.' But the reality is there’s this really shady, really popular app and they haven't done anything."

Adware Doctor also turns out to have pushed the boundaries for years. Reed says that Malwarebytes originally started tracking it in 2015, when it was called Adware Medic, which was also the name of a legitimate scanner Reed had developed. Malwarebytes notified Apple and the company removed the app, but Reed says it resurfaced in the App Store within days as Adware Doctor.

Malwarebytes continued to track the app over the years and found it suspect, because the app’s functionality was limited—its protections are based on generic, open-source offerings rather than effective, tailored tools. But the new findings from Privacy 1st indicate that the app may have recently added expanded suspicious functionality through an update. "It’s been scammy for awhile, but that was new behavior that we hadn’t observed before," Reed says.

'Unfortunately the App Store is really not the safe haven that Apple would like people to think it is.'

THOMAS REED, MALWAREBYTES

Adware Doctor also rides on a common strategy of posing as a security product to seem more trustworthy and gain the deeper system permissions that come with being a scanning tool. Apple doesn't allow most legitimate antivirus scanners into the App Store, though, because they require too much system access and can't comply with the App Store's more restrictive sandbox requirements. And this is likely confusing for users, who might naturally assume that the App Store is the best place to download security tools.

Wardle and Reed both say that they support the general concept and mission of the Mac App Store, and they appreciate Apple's efforts to vet apps. But they both note that Apple may not audit app updates as thoroughly as they do initial app submissions, and they note that Apple could improve the App Store simply by responding more quickly to researcher concerns.

For now, Wardle says that since Privacy 1st publicized his findings on Adware Doctor last week, the app has shifted to take the server that was receiving user data offline. But the app still tries to send it out, and the app’s developer could easily bring the server back online if scrutiny dies down.

Wardle notes that Apple's lack of responsiveness is a particularly bad look in this situation, since Adware Doctor is a top-selling app in the App Store, and Apple gets a cut of every app's earnings. "I don’t assume that Apple is being malicious, it’s probably just that they overlooked this." Wardle says. "But this app is presumably making Apple tons of money. If they pulled the app and then refunded customers' money that would help to illustrate their commitment to safety in the App Store."

Though malicious apps aren't unprecedented in the App Store, it's unusual for such a widely-downloaded app to come under scrutiny. And it's an important reminder that there's always some risk in downloading new software.

This story has been updated to reflect that Apple removed Adware Doctor several hours after this story was published.

https://www.wired.com/story/adware-doctor-mac-app-store-spyware/

Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more