Adware Doctor was one of the most popular paid apps in the App Store. New research shows however, that the app is essentially spyware and is periodically transmitting user data to a server in China.

The app claimed to prevent “malware and malicious files from infecting your Mac,” and offered the ability to remove adware that is already on your system. According to security researcher, Patrick Wardle, once the app has been downloaded, it asks for high-level access to your system files and begins a process of working around Apple’s normal “sandboxing” protections.

Wardle describes in depth how Adware Doctor works on his blog “Objective-See.” Essentially, the app sidesteps Apple's sandboxing features and snags browser histories from Chrome, Firefox and Safari. "Now, an anti-malware or anti-adware tool is going to need legitimate access to user's files and directories -- for example to scan them for malicious code," Wardle explains. "However, once the user has clicked 'Allow,' since Adware Doctor requested permission to the user's home directory, it will have carte blanche access to all the user's files. So yes, it will be able to detect and clean adware, but also collect and exfiltrate any user file it so chooses!"

Wardle found that the downloaded app jumped through hoops to bypass Apple’s Mac sandboxing features, which prevent apps from grabbing data on the hard drive, and upload a user’s browser history on Chrome, Firefox and Safari browsers.

The app has since been removed, but it is unclear whether the app makers or Apple removed the app. It is notable that the app held the number four spot on paid apps while available for purchase and was on sale until it was removed.

Spyware is frequently downloaded accidentally from unverified files, like games from “free” websites.

Take Vigilant Technologies free  infrastructure assessment today!