No. 1 paid utility in Mac App Store steals browser history, sends it to Chinese server

Adware Doctor, the number one paid utility in the Mac App Store, is secretly logging the browser history of users, and sending it to a server in China.

Security researcher Patrick Wardle says that he notified Apple of this a month ago, but the malware app still remains available in the Mac App Store today …

Threatpost notes that everything about the app would appear legitimate.

The app is currently listed on Apple’s Mac App Store as the company’s fourth-highest “Top Paid” software programs, behind Final Cut Pro, Magnet and Logic Pro X. It is also the store’s No. 1 paid utility. The app currently costs $4.99, is validly signed by Apple, and its listing on the Mac App Store is accompanied a majority of lavishly positive [likely fake] five-star reviews. Adware Doctor promotes its app as preventing “malware and malicious files from infecting your Mac.”

The app originally posed as Adware Medic, an app owned by Malwarebytes, leading Apple to pull it. But when it changed its name to Adware Doctor, Apple allowed it back into the App Store.

Wardle did a deep dive into the app to find out what it was doing, after being alerted to it by Privacy 1st.

He found that the app creates a password-protected archive called It then uploads that file to a server which appears to be based in China. Wardle found that the password was hard-coded, enabling him to open the zip file and examine its contents. He found that it contained browser history from Chrome, Firefox and – yes – Safari.

Wardle notes that sandboxing ought to prevent Mac apps getting access to data belonging to other apps, but that Adware Doctor requests universal access when first run – which would be expected to allow a malware scan, so wouldn’t appear suspicious. However, he found that the app was also able to access running processes, something that sandboxing should still prevent.

Ironically, he found that the app circumvents this protection by using Apple’s own code.

It’s (likely) just a copy and paste of Apple’s GetBSDProcessList code (found in Technical Q&A QA1123 “Getting List of All Processes on Mac OS X”). Apparently this is how one can get a process listing from within the application sandbox! I’m guessing this method is unsanctioned (as it clearly goes against the design goals of sandbox isolation). And yes, rather amusing the code Adware Doctor uses to skirt the sandbox, is directly from Apple!

The app also logs the apps you’ve downloaded, and their source.

As of the time of writing, the server collecting the data is offline, possibly as a result of the attention it has now received, but it could be easily reactivated.

Wardle says his greatest concern is why Apple has left the malware in the Mac App Store a month after he alerted the company to his findings. We’ve reached out to Apple for comment and will update with any response.

You can follow on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Apple and the Web.