{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/adware-doctor/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Adware Doctor","Mac App Store"],"_cs_severities":["high"],"_cs_tags":["adware","exfiltration","macos"],"_cs_type":"threat","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eAdware Doctor, a top-grossing application found on the official Mac App Store, has been observed surreptitiously exfiltrating highly sensitive user information, specifically browser history, to a remote server. Discovered in August 2018 by @privacyis1st and further analyzed by Objective-See, the application claims to remove adware but in reality, it gathers browsing history from Safari and Chrome, zips the data, passwords it with \u0026ldquo;webtool,\u0026rdquo; and uploads it to adscan.yelabapp.com. This behavior bypasses user expectations of privacy within the Apple ecosystem, especially given Apple\u0026rsquo;s claims of rigorous app review. The application was sold for $4.99, potentially impacting a large number of users. Adware Doctor also has a history of using deceptive tactics and was previously known as \u0026ldquo;Adware Medic,\u0026rdquo; which was pulled from the store and quickly reappeared under a different name.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser downloads and installs \u0026ldquo;Adware Doctor\u0026rdquo; from the official Mac App Store.\u003c/li\u003e\n\u003cli\u003eThe user clicks the \u0026ldquo;Clean\u0026rdquo; button within the application\u0026rsquo;s UI, initiating the data collection process.\u003c/li\u003e\n\u003cli\u003eAdware Doctor accesses and reads browser history databases, including \u003ccode\u003e~/Library/Safari/History.db\u003c/code\u003e and \u003ccode\u003e~/Library/Application Support/Google/Chrome/Default/History\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application creates a directory \u003ccode\u003e~/Library/Containers/com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history\u003c/code\u003e to store gathered history data.\u003c/li\u003e\n\u003cli\u003eAdware Doctor uses the built-in \u003ccode\u003ezip\u003c/code\u003e utility to compress the collected browser history into \u003ccode\u003ehistory.zip\u003c/code\u003e, protected with the password \u0026ldquo;webtool.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eThe application attempts to upload the \u003ccode\u003ehistory.zip\u003c/code\u003e file to the domain \u003ccode\u003eadscan.yelabapp.com\u003c/code\u003e via a POST request to the \u003ccode\u003e/1/checkadware\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe exfiltrated data includes browsing history from Safari, Chrome, and potentially other browsers installed on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exfiltration of browser history allows the attacker to gain insight into a user\u0026rsquo;s browsing habits, visited websites, search queries, and potentially login credentials stored within browser data. Given Adware Doctor\u0026rsquo;s popularity as a top-grossing app in the Mac App Store at the time, a significant number of users were likely affected. This data could be used for targeted advertising, identity theft, or other malicious purposes. The incident undermines user trust in the Mac App Store\u0026rsquo;s security measures and Apple\u0026rsquo;s review process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for the execution of \u003ccode\u003e/bin/bash\u003c/code\u003e with command-line arguments indicative of zip archive creation with a hardcoded password as shown in the Sigma rule \u0026ldquo;Detect Adware Doctor History Zip\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to \u003ccode\u003eadscan.yelabapp.com\u003c/code\u003e to identify potential exfiltration attempts, as detailed in the IOC list.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Adware Doctor History Access\u0026rdquo; to detect suspicious file access patterns to browser history databases by processes outside the expected browser applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T07:33:40Z","date_published":"2026-05-07T07:33:40Z","id":"/briefs/2024-01-adware-doctor/","summary":"Adware Doctor, a popular app available on the Mac App Store, surreptitiously steals user's browsing history from Safari and Chrome, compresses the data into a password-protected zip archive, and exfiltrates it to a remote server.","title":"Adware Doctor Steals and Exfiltrates Browser History from Mac App Store Users","url":"https://feed.craftedsignal.io/briefs/2024-01-adware-doctor/"}],"language":"en","title":"CraftedSignal Threat Feed — Adware Doctor","version":"https://jsonfeed.org/version/1.1"}