And yes, rather amusing the code Adware Doctor uses to skirt the sandbox, is directly from Apple! Apparently this is how one can get a process listing from within the application sandbox! I’m guessing this method is unsanctioned (as it clearly goes against the design goals of sandbox isolation).
#Istore adware cleaner mac mac os#
It’s (likely) just a copy and paste of Apple’s GetBSDProcessList code (found in Technical Q&A QA1123 “Getting List of All Processes on Mac OS X”). Ironically, he found that the app circumvents this protection by using Apple’s own code. However, he found that the app was also able to access running processes, something that sandboxing should still prevent. Wardle notes that sandboxing ought to prevent Mac apps getting access to data belonging to other apps, but that Adware Doctor requests universal access when first run – which would be expected to allow a malware scan, so wouldn’t appear suspicious. He found that it contained browser history from Chrome, Firefox and – yes – Safari.
#Istore adware cleaner mac zip file#
Wardle found that the password was hard-coded, enabling him to open the zip file and examine its contents. It then uploads that file to a server which appears to be based in China. He found that the app creates a password-protected archive called history.zip. Wardle did a deep dive into the app to find out what it was doing, after being alerted to it by Privacy 1st. But when it changed its name to Adware Doctor, Apple allowed it back into the App Store. The app originally posed as Adware Medic, an app owned by Malwarebytes (and subsequently renamed to Malwarebytes for Mac), leading Apple to pull it. Adware Doctor promotes its app as preventing “malware and malicious files from infecting your Mac.” The app currently costs $4.99, is validly signed by Apple, and its listing on the Mac App Store is accompanied a majority of lavishly positive five-star reviews. The app is currently listed on Apple’s Mac App Store as the company’s fourth-highest “Top Paid” software programs, behind Final Cut Pro, Magnet and Logic Pro X. Threatpost notes that everything about the app would appear legitimate. Security researcher Patrick Wardle says that he notified Apple of this a month ago, but the malware app still remains available in the Mac App Store today … Adware Doctor, the number one paid utility in the Mac App Store, is secretly logging the browser history of users, and sending it to a server in China.