Popular Mac App Store Utilities Caught Siphoning User Data

Security researchers have uncovered a number of applications in Apple’s Mac App Store that are apparently sending sensitive user data back to their own servers.

The apps include some that are among the most popular on the US Mac App Store.

Several researchers uncovered the apps independently, finding that they were collecting and transmitting data including complete browsing histories and detailed information on the applications installed on a system.

Apple places restrictions on the system information that can be accessed by software on the Mac App Store, but researchers said the apps were able to get around these blocks.

Browsing history

Researcher Patrick Wardle said an app called Adware Doctor was collecting browsing histories from Safari, Chrome and Firefox as well as a list of all running processes.

The app also collects a list of what applications are installed on the system and where they originated, Wardle said.

“Most of this is data that App Store apps should not be accessing, much less exfiltrating,” wrote Thomas Reed of Malwarebytes in an advisory.

Reed said the app has gone by other names in the past and is a copy of an adware-scanning tool he himself had developed.

“We’ve continued to fight against this app, as well as others made by the same developer, and it has been taken down several times now, but in a continued failure of Apple’s review process, is always replaced by a new version before long,” Reed wrote.

Adware Doctor

Wardle said Adware Doctor was the fourth-highest grossing paid application on the App Store, and topped the category of paid utilities.

Reed said similar data-collecting behaviour had been observed from other popular apps, including Dr. Antivirus, Dr. Cleaner, and a scam application called Open Any Files: RAR Support, which promotes third-party antivirus software.

Some of the applications in question, namely Dr. Cleaner, Dr. Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder, are made by well-known antivirus firm Trend Micro, which denied user data had been compromised.

Trend said certain applications collected a one-off snapshot of users’ browser histories to determine whether they had recently encountered a known malicious website. The data was sent to a US-based server controlled by Trend, the company said.

It said it had decided to remove the browser history collection feature and had erased all the browser history data it had stored from previous collections. Browser data was previously stored for three months.

“The potential collection and use of browser history data was explicitly disclosed in the applicable EULAs and data collection disclosures accepted by users for each product at installation,” Trend said in a statement.

“We apologise to our community for concern they might have felt and can reassure all that their data is safe and at no point was compromised.”

App Store security

Researchers noted that insecure applications appeared to be repeatedly getting around Apple’s vetting process for the App Store.

“The Mac App Store is not the safe haven of reputable software that Apple wants it to be,” wrote Malwarebytes’ Reed. “These issues reveal a depth to the problem that most people are unaware of.”

He advised that users treat the App Store as they would any other download source, and exercise caution with software they acquire from it.

Apple did not immediately respond to a request for comment.

Researchers said that the spying apps had been removed from the Mac App Store following the publication of their advisories.