Independent researchers found a number of apps in the Mac App Store that stealing data from users, acquiring sensitive information and sending it to the developer.
Security researchers have independently found apps “exfiltrating” data to servers without the user’s knowledge, all of which were available to download from Apple’s Mac App Store. Each of the apps managed to get past Apple’s submission process for the store and were available to download alongside other legitimate apps.
MalwareBytes reports that, in some cases, the data is dispatched to servers in China and is highly likely the data is being used for malicious purposes.
The biggest app of the list is Adware Doctor, which topped the chart for paid utilities in the Mac App Store, before being removed after the reports about it first emerged on Friday. The app claims to remove adware threats from a Mac, including extensions and cookies in browsers, but Patrick Wardle advises the “cleaning” process involves collecting the browsing history of the user, as well as a list of all running processes, and a list of software downloaded to the Mac.
While Apple has processes in place to prevent apps from accessing data it did not have permission to view, the app uses a loophole to work around the restrictions.
The app is also a clone of Adware Medic, which surfaced in 2015 as a copy of an app of the same name, originally created by the developer of MalwareBytes for Mac. At the time, the app was removed after Apple was informed, but returned with a new name, with MalwareBytes repeatedly fighting to take down clones of the app from the same company that keep appearing in the store.
Shortly after news of the app’s malware nature circulated around other security researchers, the chinese server went offline, preventing other data from being sent off, but not halting the local collection of data for future dispatches. Wardle also advised to Apple about the app in early August, but the app has only just been removed from the Mac App Store, one month later.
A second app, Open Any Files, takes over a system’s ability to handle documents that are not associated with an existing app, using the opportunity to advertise other apps that supposedly could open files. Aside from the extra affiliate-based behavior, the app was also found to have similar characteristics to Adware Doctor, in acquiring the browsing and search history of Safari, Chrome, and Firefox, as well as the App Store.
While the app was reported to Apple in December 2017, it is still available to download from the Mac App Store.
Dr. Antivirus, discovered through Open Any Files, performs similar data collection but with limitations, restricted by macOS. The same data was collected and exfiltrated, but with the addition of a file detailing metadata of every application installed on the Mac.
The same developer created Dr. Cleaner, which again collected data from the user’s Mac and sent it to a specific address.
The discoveries of the malware calls into question the safety of apps available from the Mac App Store, and Apple’s ability to make sure they are safe before making them available to purchase or download. According to Malwarebytes, the company has reported such instances of malware to Apple for “years,” with barely any immediate actions undertaken to remove the offending apps.
There is also the issue of developers found to be distributing malware failing to be blocked from the Mac App Store, as the creators are sometimes able to bring the exact same apps back to the store in a short space of time.
MalwareBytes encourages users to “treat the App Store just like you would any other download location: as potentially dangerous.” While free apps may seem harmless, “if you have to give that app access to any of your data as part of its expected functionality, you can’t know how it will use that data.”
“Worse, even if you don’t give it access, it may find a loophole and get access to sensitive data anyway,” the firm adds.
Apple has a dedicated webpage for reporting problems, including malware that slips into the Mac App Store, which users can use to alert to such issues.
date: 9 September 2018 id: 36719 source: