Anterovium - Fotolia

Trend Micro apps on Mac accused of stealing data

Researchers claimed Trend Micro apps in the Mac App Store were stealing data. The company removed the offending features, but researchers are still not sold on Trend Micro's excuse.

According to researchers, multiple apps in the Mac App Store were stealing data, and Apple removed the offending apps from the store. But, now, Trend Micro is refuting the claims against its apps.

At least eight apps -- six Trend Micro apps and two published by a developer who goes by the name Yongming Zhang -- were found to be gathering data from user systems, including web browsing history, App Store browsing history and a list of installed apps.

Reports about the apps potentially stealing data first appeared on the Malwarebytes forum in late 2017, but the issues were confirmed recently by at least three individuals: Patrick Wardle, CEO and founder of Digita Security; a security researcher based in Germany who goes by the Twitter handle @privacyis1st; and Thomas Reed, director of Mac and mobile at Malwarebytes Labs.

Wardle dug into claims by @privacyis1st that the No. 4 ranked paid app, Adware Doctor -- published by Yongming Zhang in the Mac App Store -- was stealing data. At first, Wardle said the app was behaving normally until it came time to "clean" the user system; that's when he observed the app stealing browser history data and a list of installed apps.

"From a security and privacy point of view, one of the main benefits of installing applications from the official Mac App Store is that such applications are sandboxed. (The other benefit is that Apple supposedly vets all submitted applications -- but as we've clearly shown here, they (sometimes?) do a miserable job)," Wardle wrote in a blog post.

"When an application runs inside a sandbox it is constrained by what files or user information it can access. For example, a sandboxed application from the Mac App Store should not be able to access a user's sensitive browser history," he continued. "But Adware Doctor clearly found [a way]."

Trend Micro apps and company response

Adware Doctor was developed by an unknown developer whose identity is based on the name of a notorious Chinese serial killer, Zhang Yongming, who was executed in 2013 after being convicted of killing 11 boys and young men; another app, Open Any Files: RAR Support, was developed by "Hao Wu," but it's unclear who the individual is. In addition to these apps stealing data, Reed noted in his analysis that at least two Trend Micro apps appeared to be acting improperly. [UPDATE: In an amended statement on the matter, Trend Micro admitted that Open Any Files is one of the vendor's apps and said "we have decided to no longer publish or support this product."]

Reed said he "saw the same data being collected and also uploaded in a file named to the same URL used by Open Any Files" in the Dr. Antivirus app. Reed said Open Any Files -- developed by Hao Wu -- and the Trend Micro apps were uploading the zip file to Trend Micro servers, and Open Any Files was found promoting Trend Micro's Dr. Antivirus app.

"Unfortunately, other apps by the same developer are also collecting this data. We observed the same data being collected by Dr. Cleaner, minus the list of installed applications," Reed wrote in his analysis. "There is really no good reason for a 'cleaning' app to be collecting this kind of user data, even if the users were informed, which was not the case."

Trend Micro admitted its apps -- Dr. Cleaner, Dr. Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery and Duplicate Finder -- were removed from the Mac App Store, but denied that the apps were stealing data and sending that data to Chinese servers.

The company said in its response that the Trend Micro apps were collecting and uploading "a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation." But it claimed this functionality was "for security purposes," and the actions were permitted by users as part of the End-User License Agreement on installation.

Trend Micro linked to a support page for Dr. Cleaner that showed browser history as one of the types of data collected with user permission. But Reed said on Twitter that he kept archived copies of the apps, and he did not find any in-app notifications about data collection.

Despite denying any wrongdoing, Trend Micro said it was taking steps to reassure users that their data was safe.

"First, we have completed the removal of browser collection features across our consumer products in question," Trend Micro wrote. "Second, we have permanently dumped all legacy logs, which were stored on U.S.-based AWS servers. This includes the one-time 24 hour log of browser history held for three months and permitted by users upon install."

"Third, we believe we identified a core issue which is humbly the result of the use of common code libraries," Trend Micro continued. "We have learned that browser collection functionality was designed in common across a few of our applications and then deployed the same way for both security-oriented as well as the non-security oriented apps such as the ones in discussion . This has been corrected."

It is unclear why Open Any Files was uploading data to Trend Micro servers, or if Trend Micro was the only company with access to the data uploaded by any of the Trend Micro apps.

Trend Micro did not respond to questions at the time of this post.

Apple's responsibility in the Mac App Store

Despite being a central figure in the story of the Trend Micro apps being removed from the Mac App Store, the one company that has kept quiet has been Apple. Apple has not made a public statement, and it did not respond to requests for comment at the time of this post.

According to Apple, "The safest place to download apps for your Mac is the Mac App Store. Apple reviews each app before it's accepted by the store, and if there's ever a problem with an app, Apple can quickly remove it from the store."

But, Wardle said, "it's questionable whether these statements actually hold true," given the number of apps found to be stealing data. And Wardle pointed out that the Mac App Store has known issues with fake reviews propping up bad apps.

Stefan Esser, CEO of Antid0te UG, a security audit firm based in Cologne, Germany, also criticized Apple's response to the claims that apps in its store were stealing data.

"The fact that Apple was informed about this weeks ago and [chose] to ignore and that they finally reacted after bad press like two days before their announcement of new products for you to buy is for sure just coincidence," Esser wrote on Twitter.

And Reed said it's best to not trust certain apps in the Mac App Store.

Dig Deeper on Compliance

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing