Best-selling Mac app acts like a spyware Watch Now

Apple recently revealed a new set of rules that app developers must follow. From October, App Store developers will have to clearly and explicitly say just how users' personal data is used, secured and shared in a transparent manner.

These new rules might cause one app developer, in particular, serious problems -- as it appears that Adware Doctor, one of the most highly-rated anti-adware apps in the store, is secretly harvesting user data and sending it to China without consent.

Adware Doctor, an app which costs $4.99 to purchase, describes itself as software able to "prevent malware and malicious files from infecting your Mac," and recommends purchase in the case of slow systems, web browser hijacking, and evidence of adware -- including popups and unwanted ads.

The application currently holds spot number four in Apple's list of top paid software. Adware Doctor is also the current top grossing application in the utility category.

However, according to security researcher Patrick Wardle, the app acts more like spyware than a way to protect against infiltration, as Adware Doctor "surreptitiously exfiltrates highly sensitive user information."

In a blog post published Friday, Wardle said the app appears to completely ignore Apple's developer guidelines as it covertly collects user browsing history and transfers it to a server in China.

See also: Cryptojacking campaign exploiting Apache Struts 2 flaw kills off the competition

A security researcher who goes by the name Privacy1st -- as well as John Maxx on YouTube -- posted a video which explores what appears to be the app's underhanded behavior in depth.

In the video below, the app is shown to collect and package up browsing history into a .zip archive before sending the file to a server located in China.

Wardle examined these findings further, downloading the app to find various network requests are sent over HTTPS. JS files are then pulled from servers and the app's database is downloaded which contained hashes of known adware and spyware.

However, once users click "clean," the option for apparently removing such infections from a PC, things become more interesting.

Upon execution of the 'cleaning' session, the app will spawn the archive file, naming it history.zip before compiling captured browser data.

The app is reportedly able to collect user browser data due to the catch-all permissions required by a user on install; permissions users are likely to give without a thought due to Adware Doctor's high ranking and generally positive reviews.

"At no point does Adware Doctor ask to exfiltrate your browser history," Wardle says. "And its access to this very private data is clearly based on deceiving the user."

CNET: Equifax's hack, one year later: A look back at how it happened and what's changed

Wardle says that Apple was contacted a month ago with the findings and the company promised to investigate.

However, at the time of writing, the app is still freely available to download.

"A few days ago, the API endpoint (or perhaps the subdomain), adscan.yelabapp.com went offline," the researcher added. "It is not clear why this was the case. Perhaps the 'Adware Doctor' developers saw @privacyis1st's that identified this issue? Or maybe it's just down for maintenance, as other related API endpoints remain active."

TechRepublic: Why passwords are a terrible method of authentication

"The version of the application in the official Mac App Store still (locally) collects all aforementioned data and still attempts to exfiltrate it," Wardle continued. "Thus, the developer, at any time, could bring this API endpoint back online and resume data collection!"

This is not the first time Adware Doctor has drawn the attention of security researchers. Back in 2016, it appears the app was abusing AppleScript in order to elevate applications. The claim has also been made that Adware Doctor may have jumped up the app ranks through fake reviews.

Update 6.21pm BST: Malwarebytes has released additional research on Mac apps which are spying on users and stealing information.

Adware Doctor appears on the list, and according to the cybersecurity firm, Open Any Files acted in a very similar fashion to Adware Doctor, including the rampant exfiltration of user browser history.

This app was reported to Apple in December as suspicious but is still available to download.

"Recently, Open Any Files stopped exfiltrating this data, but we have retained the evidence from our observations," Malwarebytes added.

Another application, Dr. Antivirus, also appears to be up to the same tricks. Malwarebytes says that in addition to slurping browsing histories, it also contains a file named app.plist, which records detailed information about every application found on the system.

"It's blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be," Malwarebytes says. "We've reported software like this to Apple for years, via a variety of channels, and there is rarely any immediate effect."

The antivirus firm added that it can sometimes take Apple up to six months to remove an app deemed suspicious.

ZDNet has reached out to the app developer and Apple and will update if we hear back.

Previous and related coverage