[ad_1]
Adware Doctor, the number one paid utility in the Mac App Store, is secretly logging the browser history of users, and sending it to a server in China.
Security researcher Patrick Wardle says that he has notified Apple of this month, but the malware app still remains in the Mac App Store today …
NordVPN
Threatpost notes that everything about the app would appear legitimate.
The app is currently listed on Apple's Mac App Store as the company's fourth-highest "Top Paid" software programs, behind Final Cut Pro, Magnet and Logic Pro X. It is also the store's No. 1 paid utility. The app currently costs $ 4.99, is validly signed by Apple, and its listing on the App Store is aided by majority of lavishly positive [likely fake] five-star reviews. Adware Doctor promotes its app as preventing "malware and malicious files from infecting your Mac."
The app originally posed as Adware Medic, an app owned by Malwarebytes, leading Apple to pull it. But when it changed its name to Adware Doctor, Apple was allowed back on the App Store.
Wardle did a deep dive into the app to find out what it was doing, after being alerted to it by Privacy 1st.
He found that the app creates a password-protected archive called history.zip. It then uploads that file to a server which appears to be based in China. Wardle found that the password was hard-coded, enabling him to open the zip file and examine its contents. He found this browser in Chrome, Firefox and – yes – Safari.
Wardle notes that sandboxing ought to prevent Adware Doctor requests universal access when first run – which would be expected to allow a malware scan, so would not appear suspicious. However, he found that the app was also able to access running processes, something that sandboxing should still prevent.
Ironically, he found that the app circumvents this protection by using Apple's own code.
It's (likely) just a copy and paste of Apple's GetBSDProcessList code (found in QA1123 Technical Technical "QA1123" Getting List of All Processes on Mac OS X "). Apparently this is one of the sandbox app! I'm guessing this method is unsanctioned (as it clearly goes against the design goals of sandbox isolation). And yes, rather amusing the code Adware Doctor uses the sandbox, is directly from Apple!
The app also logs the apps you've downloaded, and their source.
It may be easily reactivated, but it may not be easily reactivated.
Wardle says his greatest concern is why Apple has left the malware in the Mac App Store We're reaching out to Apple for the future.
Check out 9to5Mac on YouTube for more Apple news:
[ad_2]
Source link