Adware Doctor Steals and Exfiltrates Browser History from Mac App Store Users

Adware Doctor, a top-grossing application found on the official Mac App Store, has been observed surreptitiously exfiltrating highly sensitive user information, specifically browser history, to a remote server. Discovered in August 2018 by @privacyis1st and further analyzed by Objective-See, the application claims to remove adware but in reality, it gathers browsing history from Safari and Chrome, zips the data, passwords it with “webtool,” and uploads it to adscan.yelabapp.com. This behavior bypasses user expectations of privacy within the Apple ecosystem, especially given Apple’s claims of rigorous app review. The application was sold for $4.99, potentially impacting a large number of users. Adware Doctor also has a history of using deceptive tactics and was previously known as “Adware Medic,” which was pulled from the store and quickly reappeared under a different name.

Attack Chain

1. User downloads and installs “Adware Doctor” from the official Mac App Store.
2. The user clicks the “Clean” button within the application’s UI, initiating the data collection process.
3. Adware Doctor accesses and reads browser history databases, including ~/Library/Safari/History.db and ~/Library/Application Support/Google/Chrome/Default/History.
4. The application creates a directory ~/Library/Containers/com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history to store gathered history data.
5. Adware Doctor uses the built-in zip utility to compress the collected browser history into history.zip, protected with the password “webtool.”
6. The application attempts to upload the history.zip file to the domain adscan.yelabapp.com via a POST request to the /1/checkadware endpoint.
7. The exfiltrated data includes browsing history from Safari, Chrome, and potentially other browsers installed on the system.

Impact

The successful exfiltration of browser history allows the attacker to gain insight into a user’s browsing habits, visited websites, search queries, and potentially login credentials stored within browser data. Given Adware Doctor’s popularity as a top-grossing app in the Mac App Store at the time, a significant number of users were likely affected. This data could be used for targeted advertising, identity theft, or other malicious purposes. The incident undermines user trust in the Mac App Store’s security measures and Apple’s review process.

Recommendation

• Monitor process creations for the execution of /bin/bash with command-line arguments indicative of zip archive creation with a hardcoded password as shown in the Sigma rule “Detect Adware Doctor History Zip”.
• Monitor network connections to adscan.yelabapp.com to identify potential exfiltration attempts, as detailed in the IOC list.
• Implement the Sigma rule “Detect Adware Doctor History Access” to detect suspicious file access patterns to browser history databases by processes outside the expected browser applications.