Researchers charged that multiple apps in the Mac App Store were stealing data and Apple removed the offending apps from the store, but now Trend Micro is refuting the claims against its apps.
At least eight apps — six Trend Micro apps and two published by a developer who goes by the name “Yongming Zhang” — were found to be gathering data, including web browsing history, App Store browsing history and a list of installed apps, from user systems. Reports about the apps potentially stealing data first appeared on the Malwarebytes forum in late 2017, but the issues were confirmed recently by at least three individuals: Patrick Wardle, CEO and founder of Digita Security, a security researcher based in Germany who goes by the Twitter handle @privacyis1st, and Thomas Reed, director of Mac and mobile at Malwarebytes Labs.
Wardle dug into claims by @privacyis1st that the number four ranked paid app, published by “Yongming Zhang” in the Mac App Store — Adware Doctor — was stealing data. At first Wardle saw the app was behaving normally until it came time to “clean” the user system, when he observed the app stealing browser history data and a list of installed apps.
“From a security and privacy point of view, one of the main benefits of installing applications from the official Mac App Store is that such applications are sandboxed. (The other benefit is that Apple supposedly vets all submitted applications – but as we’ve clearly shown here, they (sometimes?) do a miserable job),” Wardle wrote in a blog post. “When an application runs inside a sandbox it is constrained by what files or user information it can access. For example, a sandboxed application from the Mac App Store should not be able to access a user’s sensitive browser history. But Adware Doctor clearly found [a way].”
Trend Micro apps and company response
Adware Doctor and another app — Open Any Files: RAR Support — were developed by an unknown developer whose identity is based on the name of a notorious Chinese serial killer, Zhang Yongming, who was executed in 2013 after being convicted on killing 11 boys and young men. In addition to these apps stealing data, Reed noted in his analysis that at least two Trend Micro apps appeared to be acting improperly.
Reed said he “saw the same data being collected and also uploaded in a file named file.zip to the same URL used by Open Any Files” in the app Dr. Antivirus. Reed said Open Any Files and the Trend Micro apps were uploading the zip file to Trend Micro servers.
“Unfortunately, other apps by the same developer are also collecting this data. We observed the same data being collected by Dr. Cleaner, minus the list of installed applications,” Reed wrote in his analysis. “There is really no good reason for a ‘cleaning’ app to be collecting this kind of user data, even if the users were informed, which was not the case.”
Trend Micro admitted that its apps — Dr Cleaner, Dr Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder — were removed from the Mac App Store, but denied that the apps were “stealing” data and sending that data to Chinese servers.
The company said in its response that the Trend Micro apps were collecting and uploading “a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation,” but claimed this functionality was “for security purposes” and that the actions were permitted by users as part of the EULA agreed to on installation.
Trend Micro linked to a support page for Dr. Cleaner that showed browser history as one of the types of data collected with user permission, but Reed said on Twitter that he kept archived copies of the apps and he did not find any in-app notifications about data collection.
Despite denying any wrongdoing, Trend Micro said it was taking steps to “reassure” users that their data was safe.
“First, we have completed the removal of browser collection features across our consumer products in question. Second, we have permanently dumped all legacy logs, which were stored on US-based AWS servers. This includes the one-time 24 hour log of browser history held for three months and permitted by users upon install,” Trend Micro wrote. “Third, we believe we identified a core issue which is humbly the result of the use of common code libraries. We have learned that browser collection functionality was designed in common across a few of our applications and then deployed the same way for both security-oriented as well as the non-security oriented apps such as the ones in discussion. This has been corrected.”
It is unclear why Open Any Files was uploading data to Trend Micro servers or if Trend Micro was the only company with access to the data uploaded by any of the Trend Micro apps.
Trend Micro did not respond to questions at the time of this post.
Apple’s responsibility in the Mac App Store
Despite being a central figure in the story of the Trend Micro apps being removed from the Mac App Store, the one company that has kept quiet has been Apple. Apple has not made a public statement and did not respond to requests for comment at the time of this post.
Apple claims, “The safest place to download apps for your Mac is the Mac App Store. Apple reviews each app before it’s accepted by the store, and if there’s ever a problem with an app, Apple can quickly remove it from the store.” But, Wardle said “it’s questionable whether these statements actually hold true,” given the number of apps found to be stealing data and Wardle pointed out that the Mac App Store has known issues with fake reviews propping up bad apps.
Stefan Esser, CEO of Antid0te UG, a security audit firm based in Cologne, Germany, also criticized Apple’s response to the claims apps in its store were stealing data.
“The fact that Apple was informed about this weeks ago and [chose] to ignore and that they finally reacted after bad press like two days before their announcement of new products for you to buy is for sure just coincidence,” Esser wrote on Twitter.
And Reed said it’s best to not trust certain apps in the Mac App Store.
Be suspicious of every single antivirus on the App Store. Even the legit ones are junk because of the limitations that will prevent them from detecting all threats.
— Thomas Reed (@thomasareed)
September 10, 2018