Saturday, September 15, 2018

Adware Doctor App Turns Out To Be Adware Itself


The Apple App Store is considered and recommended to be the best way to get programs for your Mac. After all, Apple states that “The safest place to download apps for your Mac is the Mac App Store. Apple reviews each app before it’s accepted by the store...”. But what if one of the apps claiming to clean your computer of adware and malware turns out to be malicious itself? That seems to be the case with Adware Doctor.

Adware Doctor has risen to become one of the most popular paid apps in the Apple App Store. It is the top paid utility app, and the fourth paid app overall, giving it a spot on the app store main site. However, there has been some controversy in its history. When the app was first released, it was called Adware Medic. However, it was removed when Malwarebytes complained due to their app Adware Medic which was released first. A few days later the app reappeared as Adware Doctor. Many of the high rated reviews are suspected to be fake to boost the app’s popularity as well.

Adware Doctor has been revealed to secretly collect a user’s internet browsing history from multiple browsers, as well as active processes running on the computer, and then sending that information to a server located in China. A security researcher with the Twitter handle @privacyis1st discovered the behavior and teamed up with another researcher Patrick Wardle to delve deeper into the app. Adware Doctor requests access to the user’s files, which would be a legitimate need for a malware scanner. However, it abuses that access by finding browsing history from Chrome, Firefox, and Safari as well as search history within the app store and a list of running processes on the machine. That by itself violates Apple rules by breaking out of the sandbox to enumerate the processes.
The app then archives this information into a zip file, history.zip, and sends it off to a web server located in China, adscan.yelabapp.com.
The researchers revealed their findings to Apple over a month ago, but Apple seemed to not do anything about it.
The app remained on the store. However, when the researchers finally went public with their findings, the app was quickly removed. Along with Adware Doctor and another app by the same developer called AdBlock master, Apple removed 3 other related apps that were accused of exfiltrating browsing and search histories: Open Any Files, Dr. Antivirus, and Dr. Cleaner. Apple has yet to comment on why it took so long to remove the malicious apps that flagrantly violated the rules or how it got past the app store review in the first place.
Sources:
        https://thehackernews.com/2 018/09/mac­adware­removal­ tool.html#comment­box
        https://threatpost.com/apple­ finally­boots­sneaky­adware­ doctor­app­from­mac­app­ store/137319/ https://objective­ see.com/blog/blog_0x37.html