Adware Doctor App Turns Out To Be Adware Itself

The Apple App
Store is considered and
recommended to be the best way to get programs for
your Mac. After all, Apple states that
“The safest place
to download apps for your Mac is the Mac
App Store. Apple reviews each app before it’s accepted by the store…”. But what if one of the apps claiming to clean your computer of
adware and malware turns out to be malicious itself? That seems to be the case with Adware Doctor.

Adware
Doctor has risen to become one of the most popular
paid apps in the
Apple App Store.
It is the top paid utility app, and the fourth paid
app overall, giving it a spot on the app store main site. However, there has been
some controversy in its history. When the app was first released, it was called Adware Medic. However, it was
removed when Malwarebytes complained due to their app Adware Medic which was
released first. A few days later
the app reappeared as Adware Doctor. Many of the high rated
reviews are suspected to be fake to boost the app’s popularity as well.

Adware Doctor
has been revealed to secretly collect a user’s internet browsing history from
multiple browsers, as well as active
processes running on the computer, and then sending that information to
a server located in China. A security researcher with the Twitter handle
@privacyis1st discovered the behavior and teamed up with
another researcher Patrick
Wardle
to delve deeper
into the app.
Adware Doctor requests access
to the user’s files, which
would be a legitimate need for a malware scanner. However, it abuses that access
by finding browsing history from Chrome, Firefox,
and Safari
as well
as search history
within the app store and a list
of running processes on the machine. That by itself violates Apple rules by
breaking out of the sandbox to enumerate the processes.

The app then archives this information
into a zip file, history.zip, and sends it off
to a web server located
in China,
adscan.yelabapp.com.

The researchers revealed
their findings
to Apple
over a month
ago, but Apple seemed to not do anything about
it.

The app
remained on the store. However, when the
researchers finally
went public with
their findings, the app
was quickly removed. Along with Adware Doctor and another app
by the same developer called
AdBlock master,
Apple
removed 3 other related apps that were accused of exfiltrating browsing and
search histories: Open Any Files,
Dr. Antivirus, and Dr. Cleaner.
Apple has yet to comment
on why it took so long to remove the malicious apps that flagrantly violated
the rules or how
it got past the app store review
in the first place.

Sources:

       
https://thehackernews.com/2 018/09/mac­adware­removal­
tool.html#comment­box

       
https://threatpost.com/apple­ finally­boots­sneaky­adware­
doctor­app­from­mac­app­
store/137319/ https://objective­ see.com/blog/blog_0x37.html