back to article Top antivirus tool nuked from macOS App Store – after it phoned browser histories to China

Apple has removed an app called Adware Doctor:Anti Malware &Ad from the macOS App Store following claims it sent users' browser histories to a remote server in China. The app's misbehavior was first noted by a security researcher who goes by name Privacyis1st on Twitter and claims to have alerted Apple to the weirdness in …

  1. vtcodger Silver badge

    China is stealing data that rightfully belongs to Google. Outrageous!!! Donald Trump will be coding a patch to prevent this ever happening again and will be posting it on Twitter and Github shortly.

  2. Jay Lenovo
    Facepalm

    App Store with a Soyuz Hole

    Maybe Apple's sandbox security considers China's Gobi Desert a valid destination?

  3. Anonymous Coward
    Anonymous Coward

    GDPR test case?

    Appledroid.... Aren't apple normally praised for Store Curation?

    The mobile, no idea where an App comes from aspect is bad.

    With Desktop installs, the source of apps is more obvious etc.

    Its time Apps were linked to verified 'Author' background info.

    But now google wants to try to obfuscate the URL in chrome?...

    1. Anonymous Coward
      Anonymous Coward

      Re: GDPR test case?

      App makers shouldn't be allowed to hide beyond minimalist APP store design, or deliberate lack of transparency by store owners or app authors etc. This latest privacy scandal involves a non-free App. For Fatcatax alone, there has to be company name / registered company location / bank name plus account location info on file just to publish (non-free Apps anyway etc)!

  4. Anonymous Coward
    Anonymous Coward

    I won't touch most of the Mac App Store apps with 10 foot stylus! Especially all those "memory cleaner" apps.

  5. Anonymous Coward
    Anonymous Coward

    "We have received your e-mail, your Ticket # is, we will investigate"

    "Why I am saying that "Apple does not care" is because I did contact their review team via e-mail many times, providing lots of information on what is going on and the only reply I go is that: "We have received your e-mail, your Ticket # is, we will investigate".

    #Snippet from:

    https://forums.appleinsider.com/discussion/192947/mac-appstore-apps-with-fake-reviews

    This is the exact same response that is given from Google when trying to alert them of bogus "Antivirus/Cleaner" apps on the Play Store.

    Some of these apps are "advertised" by hijacking the users mobile Chrome browser or Facebook browser that exploits the "navigator.vibrate([])" javascript function of mobile browsers to make the users phone vibrate while showing fullscreen fake virus warnings that link to the dodgy apps on the Play store under threat of loss of data or SIM card damage.

    These apps request every permission available and abuse Androids accessibilty API and usually contain a half dozen or more advertisng SDK's as well as Facebook's Graph API.

    Most of these apps phone home with lists of installed apps, precise location, surrounding wifi SSID's and any connected Bluetooth devices and more.

    And of course fraudulent user reviews as stated in the links:

    2. The manipulation system of the reviews. Customers are manipulating to buy products when they see that other fake buyers are saying that the product is so "great"

    I think it is very interesting that this is mentioned:

    "It turned out that this app’s behavior was very similar to the current behavior of Adware Doctor. It was uploading a file named file.zip to the following URL:

    update.appletuner.trendmicro.com/1/upload/search_keywords/

    From my own dealings with a similar dodgy app on Android there is also a well known "security" company that is "collaberating" with the developer.

    Both Apple and Google need to purge all these "Antivirus/Cleaner" apps from their stores if they want to gain users trust back.

    I feel these dodgy "security" apps are worse than all the others because they exploit users fears and lack of technical knowledge and do the exact opposite of what the app claims to do.

  6. Anonymous Coward
    Anonymous Coward

    Now here is something interesting...

    I uploaded the URL that was in the Malwarebytes link "update.appletuner.trendmicro.com/1/upload/search_keywords/"

    into Censys.io and looked at IPV4 results and got several pages that appeared to be uploads of .jpeg images.

    This might not have anything to do with the app(s) in question, but may be worth looking into.

    https://censys.io/ipv4/188.166.222.109/raw#http

    https://censys.io/ipv4/47.95.109.118/raw#http

    They appear to be Facebook image uploads and when adding the IP directly to a Chrome browser it has a box for an "access token" much like Facebook's Graph API.

    (But what do I know)

  7. steelpillow Silver badge
    Facepalm

    Top stuff

    If you were a top motor car brand, would you allow any self-promoting clown to add their product to your approved accessories catalogue and then wait for a series of lethal accidents before pulling it? No, you would take some care to assure yourself of their respectability.

    If you were a top food franchise, would you allow any self-promoting clown to add their product to your range and then wait for a rash of lethal allergic reactions before pulling it? No, you would take some care to assure yourself of their respectability.

    If you were a top smartphone maker ... oh.

    1. Anonymous Coward
      Anonymous Coward

      Re: Top stuff

      /If you were a top motor car brand, would you allow any self-promoting clown to add their product to your approved accessories catalogue and then wait for a series of lethal accidents before pulling it? No, you would take some care to assure yourself of their respectability.

      I've worked for a couple of top global motor brands, and they certainly would not take any care because hardware makers simply can't understand software.

  8. Anonymous Coward
    Anonymous Coward

    How many millions of downloads?

    Every sensational Android story leads with this information, it's mysteriously missing from this downplayed story...

    Go figure ...

    1. Pascal Monett Silver badge

      Re: downplayed

      Downplayed ? The very title uses "nuked", "phoned" and "China". That feels pretty in-the-face to me and not downplayed at all.

      It also clearly states that the app was the 4th highest grossing, which makes the whole thing rather on the important side. I agree that the number of downloads is indeed missing, but if your app is in the top ten money-makers, we're not talking thousands, that's for sure.

    2. Anonymous Coward
      Anonymous Coward

      Re: How many millions of downloads?

      Troll

  9. Anonymous Coward
    Anonymous Coward

    That's the problem with AV apps

    Whether on phones or PCs, they need access to a lot of stuff to do their job. Making it easy for someone to make an illegitimate one - probably by making it work "honestly" at first and only adding the evil capability in updates. I doubt Apple looks at updates quite as closely as the initial version.

    I'm shocked that an AV app is the #4 grosser on the iPhone. Are so many people really that brainwashed by their experience on PCs that they are paying for an AV app on the iPhone? Almost certainly the only malware they've ever had on their phone is this particular app!

    I wonder if a lot of enterprises are required BYOM employees to install "AV" on their phone before they will allow them to connect to the corporate network? It would be doubly ironic if some of these companies had their app on their 'recommended' list, and they're responsible for their employees choosing this one (and its high ranking in the app store)

    1. 45RPM

      Re: That's the problem with AV apps

      @DougS

      Where does iOS and Android come into it? This is about the Mac App Store. And of course the Mac App Store isn’t totally safe - even just using the computer as stock, with no additional software, isn’t completely safe (unless you’re using it in a bunker with no network connection). This is, and this applies to all platforms, about degrees of risk.

      Safest is to use it as stock with software updates from the OS vendor only.

      Next safest is to install only software from major vendors via the App Store

      Next is to install only signed software from major vendors via other means, or software from any other bugger on the App Store

      Then signed software from any other bugger.

      Then unsigned software that you believe to be safe.

      Then riskiest is to install stuff like ILuvPussy, which will purports to display pictures of fresh cats every day, and which was acquired from specialist website pop ups on the seedy underbelly of the Internet.

    2. Anonymous Coward
      Anonymous Coward

      Re: That's the problem with AV apps

      That's what I get for not reading carefully I guess. I suppose I'm about 1000x less shocked that an AV app is the top grosser in the Mac app store than I was when I thought it was in the iOS app store. Probably a far lower bar to hit #4 in the Mac app store.

      Anyone know if Apple conducts the same sort of review process for the Mac app store? Even if they do, the iOS app store and iOS itself includes a lot of protections the Mac does, like against interpreted code, downloadable code, etc.

      Since an AV app has to download stuff anyway for new virus definitions and the like, it would be easy for it to download an executable that does the nasty stuff, uploads its payload, then deletes itself. Then the next time it checks for updated definitions, does the same thing all over again... That wouldn't be possible on iOS because it couldn't execute what it downloaded, since iOS will only run signed code. The Mac obviously is fully capable of running unsigned code.

      Even if you had the source code and reviewed it line by line you'd never find anything wrong that that AV product, since the nasty work is hidden in an ephemeral download.

      1. 45RPM

        Re: That's the problem with AV apps

        @DougS

        Well, in my experience… I thought that they did. They certainly don't seem to spend any less time buggering around over my macOS noodlings than they do over my iOS efforts. I supposed that they were carrying out (entirely necessary) due diligence. But I'm slightly miffed if they reject (as they occasionally do) one of my apps over a minor meta-data transgression and yet allow something this monumentally nasty through.

        Humpf. (goes off to sulk)

    3. Chairman of the Bored Silver badge

      Re: That's the problem with AV apps

      @DougS, Enterprises forcing users to install dodgy AV apps per BYOD? In my experience, heck yes.

      I've definitely suffered far more at the hands of bad AV thab viruses. I'm thinking cleaning up the radwaste left behind by McAfee products here.

      And then we have the Good for Enterprise app ecosystem - a system that sucks so badly it is indistinguishable from malware. I wonder what sort of attack surface Good presents... hmmm.

  10. Anonymous Coward
    Anonymous Coward

    The first thing that struck me?

    Macs don’t get viruses.

    1. 45RPM

      Re: The first thing that struck me?

      @ac

      Technically (and I realise that you're engaging in a little light-hearted humorous trolling), macOS has trojans (like this) by the boat load (ro-ro). It has viruses, adware and malware in rather smaller numbers (perhaps a bus load). It has no worms, as far as I'm aware.

      I have run anti-virus software on my Mac since I first got one (System 6 days), and even then there were viruses.

      Even when macOS X came out (for a few years after launch (before macOS got fashionable) there were no viruses, adware or malware - just a few trojans) I kept running AV software (ClamXAV), because ClamXAV software also scans for non-Mac malware (and I didn't want to pass on a bug, even if my machine was immune).

      Of course, I continue to run AV software because macOS, Linux and Windows are all plagued now.

  11. adam payne Silver badge

    Adware Doctor:Anti Malware &Ad

    Even the name sounds dodgy

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020