macOS is touted as the most secure operating system – however, the recent spate of attacks suggest that may not be the case. Recently, hackers revealed that Adware Doctor app steals sensitive user data.
Table of Contents
Adware Doctor steals your macOS browsing history
Ironically, the Adware Doctor app has been secretly storing the browsing history of users and sending it to a Chinese server.
Renowned security researcher Patrick Wardle was the first to discover this. The hacker also alerted Apple about this a month ago and, thankfully, the app is no longer on the App Store.
The app ranked fourth among the most downloaded applications, only behind Final Cut Pro, and Logic Pro X. Further, it was the most downloaded paid app, with a price of $4.99.
Initially, the name of the app was Adware Medic, whose actual owner was Malwarebytes, which led Apple to remove it. However, the developer changed its name to Adware Doctor and Apple approved the app again.
How Adware Doctor exfiltrated user data to a Chinese server
Patrick Wardle decided to investigate it after German hacker Privacy 1st detected suspicious behavior of the app.
Top Sold MacOS AppStore application is ROGUE. Adware Doctor is stealing your privacy. PoC: https://t.co/LmveX593q0#malware #virus #MacOS #Apple #MacBook #MacBookPro #CyberSecurity #privacy #GDPR #Hacking #hackers #cyberpunk #Alert
— Privacy 1st (@privacyis1st) August 20, 2018
Analyzing the app, he discovered that Adware Doctor created a password-protected .zip file named history.zip, which was then sent to a server located in China. The password was included in the application code.
The app saved the browsing history from Chrome, Firefox, and Safari web browsers, as well as the apps that the user downloaded and their source.
Generally, sandboxing makes one application unable to access the contents of another. However, Adware Doctor has universal access, which is reasonable for a tool that scans for malware.
Using these permissions, the app accessed running processes without any problems using Apple’s GetBSDProcessList code.
The server on which the information was exfiltrated to has been deactivated likely due to the attention it has received now. But, the developer could simply redirect his app to a new server or reactivate the existing one later.
Wardle reported the app on August 7 and received no response from Apple. Surprisingly, it took Apple over 30 days to remove the app from the Mac App Store, which is quite pathetic for a company that puts privacy and security above all else.
(Source – Objective-See)