The Curious Case of Adware Doctor and the Mac App Store

What a bizarre story this is. Adware Doctor was a $4.99 app in the Mac App Store from a developer supposedly named Yongming Zhang. The app purported to protect your browser from adware by removing browser extensions, cookies, and caches. It was a surprisingly popular app, ranking first in the Utilities category and fourth overall among paid apps, alongside stalwarts like Logic Pro X and Final Cut Pro X.

Turns out, among other things, Adware Doctor was collecting your web browser history from Chrome, Firefox, and Safari, and uploading them to a server in China. Whatever the intention of this was, it’s a privacy debacle, obviously. This behavior was first discovered by someone who goes by the Twitter handle Privacy 1st, and reported to Apple on August 12. Early today, security researcher Patrick Wardle published a detailed technical analysis of the app. Wired, TechCrunch, and other publications jumped on the story, and by 9 am PT, Apple had pulled the app from the App Store.

Contrary to some reports, Adware Doctor didn’t find some sort of hole in the sandbox that prevents apps downloaded from the Mac App Store from being able to access the entire file system. The app asked permission from the user, which is the only way utilities like this can work. Any user who believed in the stated purpose of Adware Doctor would grant this permission though. (MacOS 10.14 Mojave has additional protections for particularly sensitive files, like your browser history and email database — this shouldn’t work on Mojave even if you grant an app permission to access your home folder.)

I have some questions though.

First, how in the world did this sketchy app get so popular? Was it actually doing anything useful, protecting users from actual harm? It just seems crazy to me that this was the fourth most popular paid app in the store. But that’s what makes this story interesting — the app was popular. There are an awful lot of Mac users whose web browsing histories are now in the hands of some developers in China.

Second, why didn’t Privacy 1st’s report four weeks ago trigger an investigation inside Apple that would’ve gotten the app removed sooner (and without the resulting bad publicity)? From the screenshot Privacy 1st posted to Twitter, it seems as though they included thorough steps to prove what Adware Doctor was doing. We can’t expect the app review process to flag every bad actor, but I do think we should expect Apple to take action when a bad actor is found.

Third, why wasn’t this developer “Yongming Zhang” flagged years ago? Adware Doctor started out named “Adware Medic”, the same name as a legitimate successful app from Malwarebytes:

The developer of this app is one that we at Malwarebytes have had our eye on since 2015. At that time, we discovered an app on the App Store named Adware Medic — a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac. We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor.

We’ve continued to fight against this app, as well as others made by the same developer, and it has been taken down several times now, but in a continued failure of Apple’s review process, is always replaced by a new version before long.

Here’s a report from April 2016 suggesting that the glowing reviews for Yongming Zhang’s apps were all fake. Fake reviews are perhaps the single biggest problem with the App Store. It’s a rampant problem. I really think Apple should crack down on the practice. It’s scummy, and it’s not surprising to find out that a scummy developer would do even more scummy things. Even if Apple isn’t willing to commit the human resources to tackle review fraud across the entire App Store — a Sisyphean task at this point, to be sure — they surely ought to tackle it for popular apps, and Adware Doctor was very popular. This app’s success, sketchy description, and the developer’s history of bad behavior should have set off alarm bells inside Apple.

Lastly, what’s going on with all the copies of the app that have already been bought and installed? Do existing copies still run? Isn’t this exactly the sort of scenario where Apple should use the kill switch to remotely disable installed copies of the app? I’ve asked whether they’ve done this for Adware Doctor, but haven’t gotten an answer yet.