Apple has removed an app from the Mac App Store, which was secretly recording users’ app data and browsing history and sending the information back to a Chinese server.
The Adware Doctor app, which is designed to scan macOS machines in order to track down malware and suspicious files and remove them from a computer, was actually sopping up sensitive data and returning it to the source.
Worryingly, the app appears to have been very widely used. It was the App Store’s No.1 paid utility app and the fourth most popular paid software app overall, with over 7,300 ratings giving it an average score of 4.8/5.
9to5Mac reports Apple was warned about the app a month ago, but only today (September 7) has it been removed from the store. The company had initially purged the app for posing as Adware Medic, which is owned by Malwarebytes, but was allowed back in when it changed the name to Adware Doctor.
Related: macOS Mojave features
The discovery was made by security researcher Patrick Wardle, who noticed the app creates a password-protected archive uploaded to a server in China, without the user knowing. Inside that file, named history.zip was his browser history from Safari Firefox and Chrome, as well as a log of downloaded apps.
Because the app requests universal access in order to run the malware scan, it manages to avoid suspicion of its data harvesting ways. According to Wardle, it is likely able to bypass sandboxing by copying from Apple’s code.
He writes: “It’s (likely) just a copy and paste of Apple’s GetBSDProcessList code (found in Technical Q&A QA1123 “Getting List of All Processes on Mac OS X”). Apparently this is how one can get a process listing from within the application sandbox! I’m guessing this method is unsanctioned (as it clearly goes against the design goals of sandbox isolation). And yes, rather amusing the code Adware Doctor uses to skirt the sandbox, is directly from Apple!”
According to the researcher, that server is now down but there’s no guarantee it won’t be switched back on again.
Should Apple have reacted faster in this instance? Sound off @TrustedReviews on Twitter.