[Update 9/10 4:50 am PT: The certificate issued for the domain drcleaner.com is registered as Trend Micro, Inc. Also, the domain where the data is uploaded to is a subdomain of trendmicro.com, this means the apps are in fact distributed by Trend Micro, Inc.]
[Update 9/9 7:46 pm PT: The apps discussed in this article have been removed from the Mac App Store.]
When you give an app access to your home directory on macOS, even if it’s an app from the Mac App Store, you should think twice about doing it. It looks like we’re seeing a trend of Mac App Store apps that convince users to give them access to their home directory with some promise such as virus scanning or cleaning up caches, when the true reason behind it is to gather user data – especially browsing history – and upload it to their analytics servers.
Today, we’re talking specifically about the apps distributed by a developer who claims to be “Trend Micro, Inc.”, which include Dr. Unarchiver, Dr. Cleaner and others. This issue was reported before by a user on the Malwarebytes forum, and in another report. Other researchers followed up and found that apps distributed by this “Trend Micro, Inc.” account on the Mac App Store collect and upload the user’s browser history from Safari, Google Chrome and Firefox to their servers. The app will also collect information about other apps installed on the system. All of this information is collected upon launching the app, which then creates a zip file and uploads it to the developer’s servers.
We were able to confirm these reports, at least with the Dr. Unarchiver app. After extracting a zip file with the app, it offered an option to “Quick Clean Junk Files”. Selecting “Scan” launched an open dialog with the home directory selected, this is how the app gets access to a user’s home directory, which it needs in order to collect the history files from browsers. After allowing access to the home directory, the app proceeded to collect the private data and upload it to their servers (we blocked that with a proxy). Scroll down for screenshots.
Inspecting the files the app archives and uploads to their servers revealed the full browser history for Safari, Google Chrome and Firefox, separate files specifically dedicated to storing the user’s recent Google searches on the same browsers and a file containing a complete list of all apps installed on the system, including information about where they were downloaded from, whether they are 64-bit compatible and their code signature.
As of today, “Dr. Unarchiver” is the nº 12 most popular free app in the US Mac App Store. This is a massive privacy issue and we expect Apple to pull these apps from the Mac App Store fairly quickly. Users do not expect sandboxed apps to get this level of access to their systems, but it is important to note that when an open file dialog is opened by a sandboxed app, if you use it to open your home directory, the app can potentially get access to lots of private information including browsing history, iMessage conversations, e-mail messages and more. Apple is improving this situation with macOS Mojave, but the App Store review process should have caught these practices and rejected the apps for violating the user’s privacy.
The technique adopted by the apps discussed here is very similar to what Adware Doctor did. If you want to protect yourself from these types of issues, never give an app – even from the App Store – access to your home directory, this can happen if the app pops up an open file dialog and you open your home directory with it, or if you drag your home directory into the app.
After extracting a zip file, the app offers to “clean junk files”
With a proxy, we were able to capture the request the app makes, uploading a zip file with user data
A small sample of the data the app collected from my Safari history