Security researchers have found more malicious apps which are ex-filtrating data to servers without the user’s knowledge, and all of which are available on Apple’s Mac app store. Each of these apps was managed to get past Apple’s submission process for the Mac App Store and were available with other legitimate apps.
MalwareBytes reports states “In some cases, the data is dispatched to servers in China, a country that doesn’t require the same stringent storage requirements as the United States or European countries for personal data. In cases like these, it is highly likely the data is being used for malicious purposes.”
The biggest malicious app in the list is Adware Doctor, which grabbed the first position for it’s paid utilities in the Mac App Store. Before being removed it first emerged on Friday.
While, the app claimed to have removed this Adware from the Mac App Store, including extensions and cookies in browsers. Patrick Wardle says “cleaning” process involves collecting the browsing history of the user, as well as a list of all running processes, and a list of software downloaded to the Mac.
While Apple has processes in place to prevent such kind of apps from accessing customer’s date without their knowledge. the app uses a loophole to work around the restrictions.
The app is also a clone of Adware Medic, which surfaced in 2015 as a copy of an app of the same name, originally created by the developer of MalwareBytes for Mac. At the time, it was removed when Apple was informed, but returned with a new name, with MalwareBytes repeatedly fighting to take down clones of the app from the same company that keep appearing in the store.
Wardle also advised Apple about the app in early August, but the app has only just been removed from the Mac App Store, one month later.
The second app named Open Any Files takes over a system’s ability to handle documents that are not associated with an existing app, using the opportunity to advertise other apps that supposedly could open files. Aside from the extra affiliate-based behaviour, this app seemed to have similar characteristics to Adware Doctor acquiring the browsing and search history of Safari, Chrome, and Firefox, as well as the App Store.
This was also reported to Apple in December 2017, but it is still available and can be found on the Mac App Store.
Dr Antivirus, discovered through Open Any Files, performs similar data collection but with limitations, restricted by macOS. The same data was collected and exfiltrated, but with the addition of a file detailing metadata of every application installed on the Mac.
It was also created by the same developer, Dr Cleaner, which again collected data from the user’s Mac and sent it to a specific address. The discoveries of the malware call into question the safety of apps available from the Mac App Store, and Apple’s ability to make sure they are safe before making them available to purchase or download.
According to Malwarebytes, “the company has reported such instances of malware to Apple for “years,” with barely any immediate actions undertaken to remove the offending apps.”
There is an issue of developers who are found to be distributing malware failing to be blocked from the Mac App Store, as they come many times with the exact same app back to the store in a short time.
Malwarebytes encourages suggested users to “treat the App Store just like you would any other download location: as potentially dangerous.” While free apps may seem harmless, “if you have to give that app access to any of your data as part of its expected functionality, you can’t know how it will use that data.”
“Worse, even if you don’t give it access, it may find a loophole and get access to sensitive data anyway,” the firm adds.
Apple has a dedicated page to report such kinds of illegal activities, including malware that slips into the Mac App Store. Which user can use to report Apple.