When a group of security researchers reported a popular but allegedly dangerous Mac App Store utility to Apple, noting that it secretly sends “highly sensitive user information” to an “unscrupulous” developer, Apple’s response for a full month was surprising: “crickets.” But after a cluster of bad press today, Apple finally pulled Yongming Zhang’s app Adware Doctor: Anti Malware &Ad from the store.
Three researchers, including former NSA staffer Patrick Wardle, Thomas Reed of Malwarebytes, and “privacy fighter” @privacyis1st, said in a blog post today that they reported Adware Doctor last month for sending a user’s Safari, Chrome, Firefox, and App Store browsing histories alongside lists of the Mac’s apps and running processes to a server in China. Despite receiving confirmation that Apple received the report, the $5 app remained in the App Store — where it was ranked the number one paid app across all Mac utilities.
The researchers noted that Adware Doctor appeared to blatantly violate Apple’s sandboxing security policies for Mac apps, using software tricks to gather and exfiltrate private usage data in ways that shouldn’t be possible given Apple’s Mac App Store policies. Moreover, the privacy implications are serious: They write that sharing that information even once is a serious violation of user privacy, as “your browsing history provides a glimpse into almost every aspect of your life,” but the app’s gathering has apparently been going on for some time, possibly years.
Most troublesome is that Adware Doctor continued to operate despite the Mac App Store’s pledge of being “the safest place to download apps for your Mac,” and Apple’s claim that “if there’s ever a problem with an app, Apple can quickly remove it from the store.” The operative word there is “can,” as the researchers say that they saw no action by Apple to pull the app for a month, during which time users continued to unknowingly suffer from privacy violations. Rather than following up on the report immediately, Apple only removed the app after the blog post began to pick up traction online.
It should be noted that there is more than one “Adware Doctor” in the Mac App Store. Similarly named apps from two other developers remain in the utilities section of Apple’s official online shop, both at the same $5 price point, but with lower user ratings. In addition to alleging privacy violations, the blog post accuses the developer of using fake user ratings to pump up Adware Doctor’s profile, and says that’s another issue that Apple isn’t properly dealing with in the App Store — potentially because of the money it generates from continued sales of popular apps, regardless of their merits.
A related article from Malwarebytes notes that Dr. Cleaner, Dr. Antivirus, and Open Any Files: RAR Support are all using similar practices to harvest user data. It also details how Adware Doctor started life as a “direct rip-off” of Malwarebytes’ own Adware Media app in 2015, and got pulled years ago from the store, but was eventually renamed and returned by Apple to the Mac App Store.