macOS apps are stealing user data

[German]There is a nasty trend in Apple’s macOS App Store: Security researchers have independently found different apps that are collecting sensitive user data and uploading it to servers controlled by the developer.


Last week I had reported within my German blog that Apple had banned the popular security app Adware Doctor for macOS from the App Store (see Apple wirft Adware Doctor aus dem macOS App-Store). The reason was the fact that the app transferred the surfing process to a server in China. Now security resarcher found evidence, that more apps are collecting user data and transfer them to foreign servers. This is called data exfiltrating:

Trend Micro apps seems to collect also data

Within this article reported, that more apps has been found in macOS app store, which collets the user’s surfing history and forwarded it to the app developer’s server. These are apps like Dr. Unarchiver, Dr. Cleaner and so on, which were all posted by a developer “Trend Micro, Inc.” in the Apple Store.

If the user of the macOS app grants those apps access to the home directory, the app can access the files and their contents stored there. In the article it is written that the user should think twice about this with store apps.

Apps of the developer “Trend Micro, Inc.” ask after the download from the Apple Store if they can get access to the home directory. It is promised that the app will be able to perform virus scans or clean up the caches if they have access to it.

But now another reason becomes apparent: writes that the real reason is to collect user data – especially browser histories – and upload them to their analysis servers. First hints can already be found since December 2017 in the Malwarebytes forum. Someone is writing there:


The crapware of Trend is even hijacking your browsing history and upload it to their servers into a zip archive with the password “novirus”

I wonder where is specified in their terms and conditions that we will steal your browsing history

Analyse einer App
(Source: Malwarebytes-Forum)

In this blog post, someone is currently discussing the various apps from Apple’s app store. On Twitter @privacyis1st (who also uncovered the Adware Doctor story) took up the whole thing:

Apparently all apps from “Trend Micro, Inc.” on the Mac App Store notoriously suffer from the ‘tendency’ to collect the surfing history of browsers like Safari, Google Chrome and Firefox and transfer it to Trend Micro servers. And the apps collect information about other apps installed on the system. It happens when one of the Trend Micro apps is started. The app collects the data, pack it neatly into a ZIP file and transfers it to the developer’s server. The following video shows the behavior. 

(Source: YouTube) confirmed this behavior. After extracting a zip file with the Dr. Unarchiver app, it offered the option “Quick Clean Junk Files”. By selecting “Scan” an open dialog with the selected home directory was started, so the app gets access to a user’s home directory. This is needed to collect the history files from browsers. After the app was allowed access to the home directory, it collected the user’s private data and uploaded it to its servers (the editors blocked this with a proxy).

The article here enumerates the apps and points out, that Apple boasted on a keynote at WWDC 2018 Apple the following:

You know, one of the reasons that people choose Apple products is because of our commitment to security and privacy. And we believe that your private data should remain private, not because you’ve done something wrong or that you have something to hide but because there can be a lot of sensitive data on your devices, and we think you should be in control of who sees it.

This statement from Apple is now unfortunately vapor ware. And it’s certainly sure, that the apps in question are very popular with Mac users. Bleeping Computer writes here that the apps have been removed from the store and brings additional information.

Information from Malwarebytes

I received a statement from the provider Malwarebytes via press release. The security vendor claims, that it has recently seen a very worrying trend emerging in the Mac App Store: Several security researchers have independently found different applications that collect sensitive user data and upload it to servers controlled by the originator of the application. Some of this data is indeed sent to Chinese servers, which, according to Malwarebytes, may not be subject to the same strict requirements for the storage and protection of personal data as companies based in the EU or the US.

Security researcher Patrick Wardle has recently published an article describing the behavior of an app called Adware Doctor that exfiltrates the following data:

  • Safari browser history
  • Browser history of Chrome
  • Firefox History
  • A list of all running processes
  • a list of the software that was downloaded and from which you downloaded that software

Most of it is data that App Store apps are not supposed to access, and shall now be allowed to exfiltrate it. In the case of enumerating running processes, the app had to bypass Apple’s protection, which normally prevent such apps from accessing that data. Developers of the apps found a vulnerability that allowed them to access this data despite Apple’s limitations.

  • Adware Doctor: Malwarebytes has been keeping an eye on the developer of this app since 2015. Back then, Malwarebytes discovered an app in the App Store called Adware Medic – a direct copy of their own highly successful app with the same name that became Malwarebytes for Mac. Malwarebytes contacted Apple to remove the app. It was eventually removed, but soon replaced by an identical app called Adware Doctor.
  • Open Any Files: RAR Support: This app came on the radar of Malwarebytes at the end of last year. There are a number of different fraudulent applications like these that abuse the user’s document handling system, which the user cannot open with a suitable app, as a means of advertising other products. The typical behavior is that when the user selects an unknown file, it is advertised via the app opens some antivirus software to scan the file or computer and tells the user that he may not be able to open the file because it is infected. Interestingly, this software was designed to promote a seemingly common antivirus product. This seemed like an abuse of an affiliate program for this product.
  • Dr. Cleaner: Other apps from the same developer also collect data. Malwarebytes analyzed the data that was also collected by Dr. Cleaner. There is no good reason for a “cleaner” app to collect such user data, even if the user was informed about it, which was not the case with Dr. Cleaner.

Interestingly, it was found that the drcleaner[dot]com website was used to promote the app. WHOIS records identified a person resident in China with an email address from as the registered owner of the domain.

What does it all mean?

It’s obvious that the Mac App Store isn’t the safe haven for legitimate software that Apple wants and promotes. For years, junk software has been found in the App Store, as Malwarebytes has been saying for some time. This isn’t new information, but these issues show a depth of the problem that most users don’t know about yet.

Malwarebytes has been sending such software as this to Apple through various channels for years, and there is rarely an immediate effect. In some cases it was seen that compromised apps were removed very quickly, although in some of these cases these apps also came back very quickly (as in the case of Adware Doctor). In other cases, it took up to six months for a reported app to be removed.

Malwarebytes strongly recommends that you treat the App Store as you are used to from any other download source: as potentially dangerous. A free app from the App Store may seem completely innocent and harmless, but if you have to give it access to data as part of its expected functionality, you don’t know how that data will be used.

For more details on this and other apps that steal user data, visit the official Malwarebytes blog. And again a bit of trust is lost, not to mention the image damage for Apple. The term ‘snake oil’ for such tools doesn’t seem to have come out of nowhere. Anybody out there affected?


This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *