Security researcher Patrick Wardle says one of the most popular apps on the Mac App Store "surreptitiously exfiltrates highly sensitive user information" and is likely exporting it to China.
On his website Objective-See.com, in collaboration with a Twitter account, called @privacyis1st, which was first to spot the issue, Wardle lays out the case that Adware Doctor is stealing users' browser histories.
Wardle also says that he and @privacyis1st told Apple about the issue a month ago, but that the $4.99 Adware Doctor app — from a mysterious developer named "Yongming Zhang" — was available in the Mac App Store early Friday. The app has since disappeared from the storefront.
Wardle first accused the app of having abused AppleScript in 2016, and of leaving fake reviews. But then he and the @privacyis1st account demonstrate, through static and dynamic analysis, that Adware Doctor is taking its users' browser history and exfiltrating it.
The conclusion is that Apple, which touts safety and high standards when it comes to the apps it allows in its stores, has allowed a bad actor with a high spot in its rankings to manipulate the system and steal user data. And, despite Wardle having told Apple over a month ago, the company has done nothing about it.
"First, there is rather a MASSIVE privacy issue here. Let's face it, your browsing history provides a glimpse into almost every aspect of your life. And people have even been convicted of murder based largely on their internet searches," Wardle writes. "The fact that application has been surreptitiously exfiltrating users' browsing history, possibly for years, is, to put it mildly, rather f#@&'d up!"
He concludes by asking Apple again to take down the app and refund users.
Patrick Wardle, who formerly worked for the National Security Agency, is the founder and chief research officer of Digita Security. While he has a long body of Apple-related security work going back several years, recently he demonstrated the WINDSHIFT APT exploit in macOS, and he also discovered a separate "synthetic click" problem, also in macOS.
Updated to reflect Adware Doctor's removal from the Mac App Store.