large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

This best-selling Mac app has been stealing your browsing history

Apple has removed an app from the Mac App Store, which was secretly recording users’ app data and browsing history and sending the information back to a Chinese server.

The Adware Doctor app, which is designed to scan macOS machines in order to track down malware and suspicious files and remove them from a computer, was actually sopping up sensitive data and returning it to the source.

Worryingly, the app appears to have been very widely used. It was the App Store’s No.1 paid utility app and the fourth most popular paid software app overall, with over 7,300 ratings giving it an average score of 4.8/5.

9to5Mac reports Apple was warned about the app a month ago, but only today (September 7) has it been removed from the store. The company had initially purged the app for posing as Adware Medic, which is owned by Malwarebytes, but was allowed back in when it changed the name to Adware Doctor.

Related: macOS Mojave features

The discovery was made by security researcher Patrick Wardle, who noticed the app creates a password-protected archive uploaded to a server in China, without the user knowing. Inside that file, named history.zip was his browser history from Safari Firefox and Chrome, as well as a log of downloaded apps.

Because the app requests universal access in order to run the malware scan, it manages to avoid suspicion of its data harvesting ways. According to Wardle, it is likely able to bypass sandboxing by copying from Apple’s code.

He writes: “It’s (likely) just a copy and paste of Apple’s GetBSDProcessList code (found in Technical Q&A QA1123 “Getting List of All Processes on Mac OS X”). Apparently this is how one can get a process listing from within the application sandbox! I’m guessing this method is unsanctioned (as it clearly goes against the design goals of sandbox isolation). And yes, rather amusing the code Adware Doctor uses to skirt the sandbox, is directly from Apple!”

According to the researcher, that server is now down but there’s no guarantee it won’t be switched back on again.

Should Apple have reacted faster in this instance? Sound off @TrustedReviews on Twitter.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.