Apple recently revealed a new set of rules that app developers must follow. From October, App Store developers will have to clearly and explicitly say just how users’ personal data is used, secured and shared in a transparent manner.
Adware Doctor, an app which costs $4.99 to purchase, describes itself as software able to “prevent malware and malicious files from infecting your Mac,” and recommends purchase in the case of slow systems, web browser hijacking, and evidence of adware — including popups and unwanted ads.
The application currently holds spot number four in Apple’s list of top paid software. Adware Doctor is also the current top grossing application in the utility category.
However, according to security researcher Patrick Wardle, the app acts more like spyware than a way to protect against infiltration, as Adware Doctor “surreptitiously exfiltrates highly sensitive user information.”
In a blog post published Friday, Wardle said the app appears to completely ignore Apple’s developer guidelines as it covertly collects user browsing history and transfers it to a server in China.
A security researcher who goes by the name Privacy1st — as well as John Maxx on YouTube — posted a video which explores what appears to be the app’s underhanded behavior in depth.
In the video below, the app is shown to collect and package up browsing history into a .zip archive before sending the file to a server located in China.
Wardle examined these findings further, downloading the app to find various network requests are sent over HTTPS. JS files are then pulled from servers and the app’s database is downloaded which contained hashes of known adware and spyware.
However, once users click “clean,” the option for apparently removing such infections from a PC, things become more interesting.
Upon execution of the ‘cleaning’ session, the app will spawn the archive file, naming it history.zip before compiling captured browser data.
The app is reportedly able to collect user browser data due to the catch-all permissions required by a user on install; permissions users are likely to give without a thought due to Adware Doctor’s high ranking and generally positive reviews.
“At no point does Adware Doctor ask to exfiltrate your browser history,” Wardle says. “And its access to this very private data is clearly based on deceiving the user.”
Wardle says that Apple was contacted a month ago with the findings and the company promised to investigate.
However, at the time of writing, the app is still freely available to download.
“A few days ago, the API endpoint (or perhaps the subdomain), adscan.yelabapp.com went offline,” the researcher added. “It is not clear why this was the case. Perhaps the ‘Adware Doctor’ developers saw @privacyis1st’s that identified this issue? Or maybe it’s just down for maintenance, as other related API endpoints remain active.”
“The version of the application in the official Mac App Store still (locally) collects all aforementioned data and still attempts to exfiltrate it,” Wardle continued. “Thus, the developer, at any time, could bring this API endpoint back online and resume data collection!”
This is not the first time Adware Doctor has drawn the attention of security researchers. Back in 2016, it appears the app was abusing AppleScript in order to elevate applications. The claim has also been made that Adware Doctor may have jumped up the app ranks through fake reviews.