The Apple App
Store is considered and recommended to be the best way to get programs for
your Mac. After all, Apple states that
“The safest place
to download apps for your Mac is the Mac
App Store. Apple reviews each app before it’s accepted by the store…”. But what if one of the apps claiming to clean your computer of
adware and malware turns out to be malicious itself? That seems to be the case with Adware Doctor.
Store is considered and recommended to be the best way to get programs for
your Mac. After all, Apple states that
“The safest place
to download apps for your Mac is the Mac
App Store. Apple reviews each app before it’s accepted by the store…”. But what if one of the apps claiming to clean your computer of
adware and malware turns out to be malicious itself? That seems to be the case with Adware Doctor.
Adware
Doctor has risen to become one of the most popular
paid apps in the
Apple App Store.
It is the top paid utility app, and the fourth paid
app overall, giving it a spot on the app store main site. However, there has been
some controversy in its history. When the app was first released, it was called Adware Medic. However, it was
removed when Malwarebytes complained due to their app Adware Medic which was
released first. A few days later
the app reappeared as Adware Doctor. Many of the high rated
reviews are suspected to be fake to boost the app’s popularity as well.
Doctor has risen to become one of the most popular
paid apps in the
Apple App Store.
It is the top paid utility app, and the fourth paid
app overall, giving it a spot on the app store main site. However, there has been
some controversy in its history. When the app was first released, it was called Adware Medic. However, it was
removed when Malwarebytes complained due to their app Adware Medic which was
released first. A few days later
the app reappeared as Adware Doctor. Many of the high rated
reviews are suspected to be fake to boost the app’s popularity as well.
Adware Doctor
has been revealed to secretly collect a user’s internet browsing history from
multiple browsers, as well as active
processes running on the computer, and then sending that information to
a server located in China. A security researcher with the Twitter handle
@privacyis1st discovered the behavior and teamed up with
another researcher Patrick
Wardle to delve deeper
into the app.
Adware Doctor requests access
to the user’s files, which
would be a legitimate need for a malware scanner. However, it abuses that access
by finding browsing history from Chrome, Firefox,
and Safari as well
as search history
within the app store and a list
of running processes on the machine. That by itself violates Apple rules by
breaking out of the sandbox to enumerate the processes.
has been revealed to secretly collect a user’s internet browsing history from
multiple browsers, as well as active
processes running on the computer, and then sending that information to
a server located in China. A security researcher with the Twitter handle
@privacyis1st discovered the behavior and teamed up with
another researcher Patrick
Wardle to delve deeper
into the app.
Adware Doctor requests access
to the user’s files, which
would be a legitimate need for a malware scanner. However, it abuses that access
by finding browsing history from Chrome, Firefox,
and Safari as well
as search history
within the app store and a list
of running processes on the machine. That by itself violates Apple rules by
breaking out of the sandbox to enumerate the processes.
The app then archives this information
into a zip file, history.zip, and sends it off
to a web server located
in China,
adscan.yelabapp.com.
into a zip file, history.zip, and sends it off
to a web server located
in China,
adscan.yelabapp.com.
The researchers revealed
their findings to Apple
over a month
ago, but Apple seemed to not do anything about
it.
their findings to Apple
over a month
ago, but Apple seemed to not do anything about
it.
The app
remained on the store. However, when the
researchers finally went public with
their findings, the app
was quickly removed. Along with Adware Doctor and another app
by the same developer called
AdBlock master, Apple
removed 3 other related apps that were accused of exfiltrating browsing and
search histories: Open Any Files,
Dr. Antivirus, and Dr. Cleaner. Apple has yet to comment
on why it took so long to remove the malicious apps that flagrantly violated
the rules or how
it got past the app store review
in the first place.
remained on the store. However, when the
researchers finally went public with
their findings, the app
was quickly removed. Along with Adware Doctor and another app
by the same developer called
AdBlock master, Apple
removed 3 other related apps that were accused of exfiltrating browsing and
search histories: Open Any Files,
Dr. Antivirus, and Dr. Cleaner. Apple has yet to comment
on why it took so long to remove the malicious apps that flagrantly violated
the rules or how
it got past the app store review
in the first place.
Sources:
•
https://thehackernews.com/2 018/09/macadwareremoval
tool.html#commentbox
https://thehackernews.com/2 018/09/macadwareremoval
tool.html#commentbox
•
https://threatpost.com/apple finallybootssneakyadware
doctorappfrommacapp
store/137319/ https://objective see.com/blog/blog_0x37.html
https://threatpost.com/apple finallybootssneakyadware
doctorappfrommacapp
store/137319/ https://objective see.com/blog/blog_0x37.html