A popular security-scanning app in the App Store is siphoning off users’ browsing history and sending it to a server in China.
New research on one of the most profitable apps in the official Mac App Store reveals developers are side-stepping around Apple’s controls to “surreptitiously grab a user’s browser history and send it back a company in China.” Even though it’s a clear violation of Apple’s data collection and storage rules, the app remains up and running in the store.
Adware Doctor, an app which costs $4.99 USD to purchase, describes itself as software able to “prevent malware and malicious files from infecting your Mac,” and recommends purchase in the case of slow systems, web browser hijacking, and evidence of adware – including popups and unwanted ads.
A security researcher who goes by the name Privacy1st – as well as John Maxx on YouTube – posted a video which explores what appears to be the app’s underhanded behavior in depth.
In the video below, the app is shown to collect and package up browsing history into a .zip archive before sending the file to a server located in China.
Patrick Wardle, former NSA hacker and currently chief research officer at Digita Security, pursued these findings and uncovered the fact that Adware Doctor is stealing its users’ browser history from most popular web browsers, as well as recent App Store searches and a detailed list of processes running on the Mac among other things.
“At no point does Adware Doctor ask to exfiltrate your browser history,” Wardle wrote. “And its access to such data is clearly based on deceiving the user.”
The researcher found that the app collects data about its users, particularly browsing history and a list of other software and processes running on a machine, stores that data in a locked file, and periodically sends it out to a server that appears to be located in China. All of these actions seem to violate the App Store’s developer guidelines, but while Apple was first notified about the concerns weeks ago, the app remains.
“This app is horrible, it just blatantly violates so many Apple App Store guidelines,” Wardle says. “And the reviews are just glowing, which is usually a sign that they’re fake. Apple exudes this hubris that ‘hey, we have this all figured out, you can trust us.’ But the reality is there’s this really shady, really popular app and they haven’t done anything.”
Read Threat Post‘s entire profile on the application here.