Apple boots apps that snaffled browser histories

Security researchers have uncovered a series of apps in Apple's App Store that acted suspiciously and exfiltrated users' browser data to various servers.

The apps include several by Trend Micro - which have now been removed from the store - as well as others including Adware Doctor and a utility called Open Any Files.

Thomas Reed, who heads up security vendor Malwarebytes’ Mac and Mobile division, has spent several years tracking different versions of 'Adware Doctor', which he alleged was a "direct rip-off" of a Malwarebytes app.

Adware Doctor was the fourth most popular program in Apple's App Store, and purported to remove common adware threats targeting macOS users.

Reed said that Adware Doctor had been taken down "several times" but always reappeared "before long".

However, Malwarebytes' commercial concerns with the app were bolstered recently when pseudonymous German security researcher Privacy1st and security researcher Patrick Wardle uncovered functions within Adware Doctor that sent complete browser histories of users to the developer's servers.

Upon inspection, Reed also uncovered other apps in the App Store that behaved in a similar fashion.

These included a utility called 'Open Any Files'. He said that Malwarebytes had seen "a number of different scam applications like this, which hijack the system’s functionality for handling documents that the user does not have an appropriate app to open, as a means for advertising other products…most often scams."

"The typical behaviour is that, when the user opens an unfamiliar file, this app (and others like it) opens and promotes some antivirus software for scanning the file or the computer, often telling the user that they might be unable to open the file because they are infected," he said.

In this case, Open Any Files appeared to prompt users to download a Trend Micro-made app, Dr Antivirus.

Open Any Files itself was also found to behave in a "very similar" manner to Adware Doctor, scooping up users' browser histories.

Reed said that Malwarebytes' investigation led them to examine Dr Antivirus's operation and that they then "observed the same pattern of data exfiltration as seen in Open Any Files".

Further apps made by Trend Micro were also found by Malwarebytes to exhibit similar behaviour.

That led Apple to remove the Trend Micro apps from its App Store, and for Trend Micro to come clean on the behaviour of the apps.

Trend Micro has confirmed its Dr Cleaner, Dr Cleaner Pro, Dr Antivirus, Dr. Unarchiver, Dr Battery, and Duplicate Finder utilities all collected users’ browser histories, which were sent to a server hosted on Amazon Web Services in the United States.

It denied the apps collected entire browser histories as some other apps uncovered by the security researchers appeared to.

Trend Micro said its apps "collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation."

"This was a one-time data collection, done for security purposes (to analyse whether a user had recently encountered adware or other threats, and thus to improve the product & service)," it said.

Trend Micro also said the collection was authorised because it "was explicitly disclosed in the applicable EULAs and ... accepted by users for each product at installation."

However, the vendor said it had now removed the browser history collection feature "across our consumer products in question" and purged any collected data from its logs.

It said it was working to have its apps reinstated to the Apple App Store.

The company blamed code shared across security and non-security apps for the browser history exfiltration.

Apple has not commented on the removal of the Trend Micro apps or revealed why the functionality was not discovered during tests before the apps were approved.

Clarification: An earlier version of this story incorrectly stated that Trend Micro's products sent user data to China. The story also incorrectly suggested Adware Doctor was a Trend Micro app. The story has subsequently been amended to correct the record.