Apple prides itself on prioritizing user security and privacy. It counts the iOS and Mac App Stores, where customers can download an array of trusted, vetted software, as cornerstones of that initiative. But while the approach does minimize situations where users get tricked into downloading something nasty on the open web, malware inevitably slips through. In this case, that appears to include one of the most popular offerings in the Mac App Store.

Security-scanning app Adware Doctor currently sits fourth on the Mac App Store's list of top paid apps. But after a researcher who goes by Privacy 1st released a proof-of-concept video detailing suspicious behavior in the app, Mac security researchers Patrick Wardle of Digita Security and Thomas Reed of Malwarebytes independently investigated it as well.

The researchers found that Adware Doctor collects data about its users, particularly browsing history and a list of other software and processes running on a machine, stores that data in a locked file, and periodically sends it out to a server that appears to be located in China. (For what it's worth, they say it's also not a very good adware scanner.) All of these actions seem to violate the App Store's developer guidelines, but while Privacy 1st notified Apple about the concerns weeks ago, the app remains.

(Update: A few hours after this story was published—and several weeks after security researchers first contacted it—Apple removed Adware Doctor from the Mac App Store.1)

Lily Hay Newman

"Unfortunately the App Store is really not the safe haven that Apple would like people to think it is," Reed says. "We detect and track a number of different suspicious apps in the App Store. Some of those have been removed quickly, and others have taken as much as six months to get removed. It’s not outright malware, but this junk software that’s stealing your data is pretty bad." Apple and Adware Doctor did not return multiple requests from WIRED for comment.

When a user downloads Adware Doctor, it requests permission to access the macOS "Home" folder. Because it's a top app from the Mac App store, people likely grant that permission, assuming trustworthiness. But Wardle found that once the app has this permission, it quickly starts trying to collect user data in a way that violates both their privacy and Apple's rules.

Mac apps are siloed from each other, and from the operating system, in containers called "sandboxes," which keep programs from being able to access more than they need to function. But Adware Doctor uses the permissions users grant it to collect data, and then finds ways to get around some sandbox protections. Particularly, Wardle says the program tries different tactics to get information about the other software running on a user's computer.

'This app is horrible, it just blatantly violates so many Apple App Store guidelines.' Patrick Wardle, Digita Security

Some programs, like trustworthy antivirus scanners, use this capability safely and legitimately, but App Store apps aren't supposed to be able to access it from inside their sandboxes. And while macOS already has built-in defenses to defeat some of Adware Doctor's attempts, the app can ultimately gather a list of running programs and processes through a system application programming interface. To make matters worse, Wardle says the code Adware Doctor uses to build its list of running processes—which an attacker could use to gain information about a target's activities and network—is taken from examples Apple publishes as part of its documentation materials.