More popular Mac App Store apps secretly steal user data, send it to remote servers

Researchers have discovered even more shady Apple Store apps that steal and secretly upload user data to servers in China.

“The privacy thing has gotten totally out of control,” said Apple CEO Tim Cook to CNN this summer. “I think most people are not aware of who is tracking them, how much they’re being tracked and sort of the large amounts of detailed data that are out there about them.”

Cook was actually aiming at Facebook’s data collection when he reiterated that Apple believes “privacy is a fundamental human right.”

Shortly thereafter at Apple’s Worldwide Developers Conference, Craig Federighi, Apple’s senior vice president of software engineering, outlined new security and privacy protections built into the new macOS 10.14 Mjohave.

“One of the reasons people choose Apple products is because of our commitment to security and privacy,” he said. “We believe that your private data should remain private.”

Apps likened to spyware

By extension, most Apple users seem to believe that apps from the official Mac App Store are trustworthy and safe as Apple claims. Unfortunately, some top apps available in Apple’s Mac App Store have been likened to spyware, which cares little about users’ privacy.

First it was the security-scanning Adware Doctor app – listed at fourth on the Mac App Store’s list of top paid apps until it was removed – that was “stealing” users’ files and privacy.

Security researcher Privacy1st provided video proof and then security researcher Patrick Wardle did an in-depth write-up of how Adware Doctor was secretly exfiltrating users’ sensitive files and browser history and sending it on to a server in China.

Privacy1st, Wardle and Thomas Reed from Malwarebytes Labs then discovered several other top apps from the official Mac App Store had the same malicious behavior as Adware Doctor. They include Dr. Antivirus, Dr. Cleaner, Dr. Unarchiver, and Open Any Files: RAR Support.

Hey @TrendMicro . Your MacOS app Dr.Unarchiver is doing same user data exfiltration. You are soo shady… kudos to @_inside for finding.@AppleSupport @Apple @thomasareed @patrickwardle @BleepinComputer @Malwarebytes @TheHackersNews @9to5mac @MacRumors @ZDNet pic.twitter.com/5GGEkV5dvH

— Privacy 1st (@privacyis1st) September 9, 2018

TrendMicro apps among those exfiltrating user data

Perhaps the most shocking claim is that some of those macOS apps are TrendMicro’s.

Hey @TrendMicro Told you that you are acting shady… Check the PoC: https://t.co/TnAQiKjxHS . Both Dr. Cleaner and Dr. Antivirus are exfiltrating user data. Check video and screenshots. First reported by @thomasareed . @patrickwardle @BleepinComputer pic.twitter.com/R8xGBRYm18

— Privacy 1st (@privacyis1st) September 8, 2018

9to5Mac claimed, “The certificate issued for the domain drcleaner.com leaves no doubt that the apps are in fact distributed by Trend Micro.”

9to5Mac added:

Inspecting the files the app archives and uploads to their servers revealed the full browser history for Safari, Google Chrome and Firefox, separate files specifically dedicated to storing the user’s recent Google searches on the same browsers and a file containing a complete list of all apps installed on the system, including information about where they were downloaded from, whether they are 64-bit compatible and their code signature.

Come to find out this was reported on the Malwarebytes forum back in 2017.

Reed wrote on Malwarebytes Labs that most of the App Store apps should not be accessing, nevertheless stealing, the data. Besides Adware Doctor, Reed described the sketchy behavior exhibited by Open Any Files: RAR Support, Dr. Antivirus, and Dr. Cleaner.

It is worth noting that Reed discovered “the drcleaner[dot]com website was being used to promote these apps. WHOIS records identified an individual living in China, and having a foxmail.com email address, as being the registered owner of the domain.”

Apple removing data-stealing apps

After a long delay of doing nothing when the apps were reported, Apple is acting and removing the data and privacy-stealing apps now.

“It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be,” wrote Reed.

I strongly encourage you to treat the App Store just like you would any other download location: as potentially dangerous. Be cautious of what you download. A free app from the App Store may seem perfectly innocent and harmless, but if you have to give that app access to any of your data as part of its expected functionality, you can’t know how it will use that data. Worse, even if you don’t give it access, it may find a loophole and get access to sensitive data anyway.