Apple prides itself on prioritizing user security and privacy. It counts the iOS and Mac App Stores, where customers can download an array of trusted, vetted software, as cornerstones of that initiative. But while the approach does minimize situations where users get tricked into downloading something nasty on the open web, malware inevitably slips through. In this case, that appears to include one of the most popular offerings in the Mac App Store.
Security-scanning app Adware Doctor currently sits fourth on the Mac App Store's list of top paid apps. But after a researcher who goes by Privacy 1st released a proof-of-concept video detailing suspicious behavior in the app, Mac security researchers Patrick Wardle of Digita Security and Thomas Reed of Malwarebytes independently investigated it as well.
The researchers found that Adware Doctor collects data about its users, particularly browsing history and a list of other software and processes running on a machine, stores that data in a locked file, and periodically sends it out to a server that appears to be located in China. (For what it's worth, they say it's also not a very good adware scanner.) All of these actions seem to violate the App Store's developer guidelines, but while Privacy 1st notified Apple about the concerns weeks ago, the app remains.
(Update: A few hours after this story was published—and several weeks after security researchers first contacted it—Apple removed Adware Doctor from the Mac App Store.1)
"Unfortunately the App Store is really not the safe haven that Apple would like people to think it is," Reed says. "We detect and track a number of different suspicious apps in the App Store. Some of those have been removed quickly, and others have taken as much as six months to get removed. It’s not outright malware, but this junk software that’s stealing your data is pretty bad." Apple and Adware Doctor did not return multiple requests from WIRED for comment.
When a user downloads Adware Doctor, it requests permission to access the macOS "Home" folder. Because it's a top app from the Mac App store, people likely grant that permission, assuming trustworthiness. But Wardle found that once the app has this permission, it quickly starts trying to collect user data in a way that violates both their privacy and Apple's rules.
Mac apps are siloed from each other, and from the operating system, in containers called "sandboxes," which keep programs from being able to access more than they need to function. But Adware Doctor uses the permissions users grant it to collect data, and then finds ways to get around some sandbox protections. Particularly, Wardle says the program tries different tactics to get information about the other software running on a user's computer.
Some programs, like trustworthy antivirus scanners, use this capability safely and legitimately, but App Store apps aren't supposed to be able to access it from inside their sandboxes. And while macOS already has built-in defenses to defeat some of Adware Doctor's attempts, the app can ultimately gather a list of running programs and processes through a system application programming interface. To make matters worse, Wardle says the code Adware Doctor uses to build its list of running processes—which an attacker could use to gain information about a target's activities and network—is taken from examples Apple publishes as part of its documentation materials.
"This app is horrible, it just blatantly violates so many Apple App Store guidelines," Wardle says. "And the reviews are just glowing, which is usually a sign that they're fake. Apple exudes this hubris that 'hey, we have this all figured out, you can trust us.' But the reality is there’s this really shady, really popular app and they haven't done anything."
Adware Doctor also turns out to have pushed the boundaries for years. Reed says that Malwarebytes originally started tracking it in 2015, when it was called Adware Medic, which was also the name of a legitimate scanner Reed had developed. Malwarebytes notified Apple and the company removed the app, but Reed says it resurfaced in the App Store within days as Adware Doctor.
Malwarebytes continued to track the app over the years and found it suspect, because the app’s functionality was limited—its protections are based on generic, open-source offerings rather than effective, tailored tools. But the new findings from Privacy 1st indicate that the app may have recently added expanded suspicious functionality through an update. "It’s been scammy for awhile, but that was new behavior that we hadn’t observed before," Reed says.
Adware Doctor also rides on a common strategy of posing as a security product to seem more trustworthy and gain the deeper system permissions that come with being a scanning tool. Apple doesn't allow most legitimate antivirus scanners into the App Store, though, because they require too much system access and can't comply with the App Store's more restrictive sandbox requirements. And this is likely confusing for users, who might naturally assume that the App Store is the best place to download security tools.
Wardle and Reed both say that they support the general concept and mission of the Mac App Store, and they appreciate Apple's efforts to vet apps. But they both note that Apple may not audit app updates as thoroughly as they do initial app submissions, and they note that Apple could improve the App Store simply by responding more quickly to researcher concerns.
For now, Wardle says that since Privacy 1st publicized his findings on Adware Doctor last week, the app has shifted to take the server that was receiving user data offline. But the app still tries to send it out, and the app’s developer could easily bring the server back online if scrutiny dies down.
Wardle notes that Apple's lack of responsiveness is a particularly bad look in this situation, since Adware Doctor is a top-selling app in the App Store, and Apple gets a cut of every app's earnings. "I don’t assume that Apple is being malicious, it’s probably just that they overlooked this." Wardle says. "But this app is presumably making Apple tons of money. If they pulled the app and then refunded customers' money that would help to illustrate their commitment to safety in the App Store."
Though malicious apps aren't unprecedented in the App Store, it's unusual for such a widely-downloaded app to come under scrutiny. And it's an important reminder that there's always some risk in downloading new software.
1 This story has been updated to reflect that Apple removed Adware Doctor several hours after this story was published.