Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Top Mac App Store utility 'Adware Doctor' is stealing user information [u]

Last updated

Security researcher Patrick Wardle says one of the most popular apps on the Mac App Store "surreptitiously exfiltrates highly sensitive user information" and is likely exporting it to China.

On his website Objective-See.com, in collaboration with a Twitter account, called @privacyis1st, which was first to spot the issue, Wardle lays out the case that Adware Doctor is stealing users' browser histories.

Wardle also says that he and @privacyis1st told Apple about the issue a month ago, but that the $4.99 Adware Doctor app — from a mysterious developer named "Yongming Zhang" — was available in the Mac App Store early Friday. The app has since disappeared from the storefront.

Wardle first accused the app of having abused AppleScript in 2016, and of leaving fake reviews. But then he and the @privacyis1st account demonstrate, through static and dynamic analysis, that Adware Doctor is taking its users' browser history and exfiltrating it.

The conclusion is that Apple, which touts safety and high standards when it comes to the apps it allows in its stores, has allowed a bad actor with a high spot in its rankings to manipulate the system and steal user data. And, despite Wardle having told Apple over a month ago, the company has done nothing about it.

"First, there is rather a MASSIVE privacy issue here. Let's face it, your browsing history provides a glimpse into almost every aspect of your life. And people have even been convicted of murder based largely on their internet searches," Wardle writes. "The fact that application has been surreptitiously exfiltrating users' browsing history, possibly for years, is, to put it mildly, rather f#@&'d up!"

He concludes by asking Apple again to take down the app and refund users.

Patrick Wardle, who formerly worked for the National Security Agency, is the founder and chief research officer of Digita Security. While he has a long body of Apple-related security work going back several years, recently he demonstrated the WINDSHIFT APT exploit in macOS, and he also discovered a separate "synthetic click" problem, also in macOS.

Updated to reflect Adware Doctor's removal from the Mac App Store.



19 Comments

anantksundaram 18 Years · 20391 comments

Apple needs to clamp down more aggressively on stuff like this. And more openly, so that others get the message. 

fox.kenji 6 Years · 13 comments

Unbelievable. I tried reporting this in the Mac App Store app but there is no such option! I tried leaving a review to warn others to not download the app, but you are required to buy the app before it lets you write a review. 

I haven't been able to find the developer's website. The very first thing that comes up when searching the developer's name is that "Yongming Zhang" was a serial killer in China (he fed the flesh of his victims to innocent people):
https://en.wikipedia.org/wiki/Zhang_Yongming

Also, this developer is already known for being --at the very least-- deceiving. He's been caught making 5 start self-reviews repeatedly, like how this AI forum member reported here:
https://forums.appleinsider.com/discussion/192947/mac-appstore-apps-with-fake-reviews

This guy is probably an agent of the Chinese government syphoning browsing history data back to their intelligence unit so they can identify high-value American individuals (corporate or government) for hacking and espionage. Or equally worse, identifying computers with weak security for bank account thefts. Apple has to start cracking down HARD on data thieves (especially when it comes to national security issues). A great example to follow is what Valve does in Steam. If Valve finds developers making self-reviews, or posting fake reviews on Steam on of their games, they ban the developer ENTIRELY, along with ALL their games.
https://arstechnica.com/gaming/2018/02/valve-bans-developer-after-employees-leave-fake-user-reviews/

And mind you, this is just for making fake reviews. Yongming Zhang is guilty of the far more serious crime of stealing user data and sending it to China. This developer has to get his account banned permanently from all Apple platforms, Google and Microsoft should also be notified to take action, and be reported to the authorities. This is no joke.

gatorguy 13 Years · 24627 comments

I think it might be worse than this.

I believe iGallery for Instagram, Komros Adware Remover, 1Doc: Word Processor for Writer, and Flixmate (a Netflix streamer for Mac) may also be coming from this same developer under other aliases.  All are highly rated, tho how they accomplished that is questionable. 

EDIT: AdBlock Master is yet another. Serious stuff....
Found this link that solidly associates those other names and apps with the likely-fake "Yongming Zhang" and Adware Doctor, confirming my earlier suspicions. 
 
https://www.storefollow.com/dev/id1040450370

macgui 17 Years · 2471 comments

Apple needs to clamp down more aggressively on stuff like this. And more openly, so that others get the message. 

This.

Apple happily trots out data at Events as to how many apps are in the Store, and at WWDC, how many credit cards are on file with Apple.

We are offered up as fodder for Devs, cash cows. With 2M+ apps, maybe Apple could slow down the admission process somewhere, somehow, and ramp up vetting and the investigation of claims against an app or Dev.

We'll probably never have enough transparency to see how Apple is investigating complaints and their response, but I'm ok with that as long as they are investigating and taking appropriate action.