One of the oldest and most transparent malware tricks is the fake antivirus program, which gullible users are prompted to download with panicked banner ads and a dubious email from the FBI that “your cybers are infected and need cleaning.” It’s the malware equivalent of George Clooney’s crew turning up dressed as the cops in the Oceans movies, and normally, it only works for people still running Windows XP.

But according to a former NSA hacker turned security researcher, an app called Adware Doctor — which is the top-grossing paid app in the Utilities section of the Mac App Store — is secretly pilfering users’ browsing history without telling them. If his report (via TechCrunch) is accurate, Apple has known about the malicious behavior for weeks, but it still hasn’t done anything about it.

Patrick Wardle, the aforementioned security researcher, published a report into Adware Doctor on his blog. He credits Twitter user Privacy 1st with noticing the problem, but he conducts a thorough analysis to discover how Adware Doctor steals your browsing history, and where it sends the data to.

According to his analysis, Adware Doctor jumps through a number of hoops to steal and then upload your browser history from Chrome, Safari, and Firefox; the data is then compressed and set to a server in China, where something is done with it. This, as he clearly explains, is all unethical behavior:

At no point does Adware Doctor ask to exfiltrate your browser history. And its access to this very private data is clearly based on deceiving the user.

Beyond its mistreatment and blatant disrespect of user data, the fact that Adware Doctor “dances around” the Mac App Sandbox seems to clearly be another violation as well. For example, that fact that Apple blocks the invocation of ps illustrates the fact that sandboxed applications should not be enumerating running processes from within the sandbox. If an application developer finds away around this, this is still a violation.

More worrying than the specific abuse here is how Adware Doctor managed to sneak its malevolent intentions through Apple’s supposedly-watertight security. Apple is famously fanatical about its “walled garden” of apps, and every app that is available for download through Apple’s official stores has — in theory! — been vetted to make sure it complies with Apple’s rules. Not only did Adware Doctor make it through the review process, but Apple still doesn’t appear to have taken any action to remove the app from its store, even though Wardle said he informed Apple about its behavior a month ago.

Comments