Thomas Reed from Malwarebytes Labs stated in his blog, that several researchers have discovered different apps practicing this data exfiltration. In most cases, the apps send the data to some Chinese servers that may not be secure for data storage and protection. He named four different apps in his report, namely, Adware Doctor, Open Any Files: RAR Support, Dr. Antivirus, and Dr. Cleaner.
These apps, upon installation, ask explicit permissions for accessing various data on the user’s device. This includes everything from browser history, running processes, lists of downloaded software, and the details of apps present on the device.
“We found that the drcleaner[dot]com website was being used to promote these apps. WHOIS records identified an individual living in China, and having a foxmail.com email address, as being the registered owner of the domain.”While Reed didn’t name any specific firm to back these apps, Privacy1st, a security researcher who first pinpointed the shady practices of Adware Doctor, confirmed that the other apps belong to Trend Micro – a (Chinese?) cybersecurity firm.
https://twitter.com/privacyis1st/status/1038137135969255426
- privacyis1st
After going through his tweets, LHN also thought to dig a little deeper. So, we counterchecked the website Dr.Cleaner.com. Indeed, it appears to be a legit website by the Trend Micro company, mentioning quite a few Trend Micro products. However, we could not find any RAR support associated with it. On the Mac Store as well, the app listed “Hao Wu” as the developer instead of Trend Micro.
Apple has reportedly taken down Adware Doctor from the app store after all the reports, we shall wait to see when Apple removes the other Mac App Store apps that exfiltrate data.