FacebookTwitterLinkedIn

Trend Micro Apps booted from Mac App Store

Apple has recently pulled several Trend Micro apps from its app store. These include the free packages Dr. Cleaner, Dr. Antivirus, and Dr. Archiver listed has been developed by Trend Micro. The reason for the apps receiving the boot: they exfiltrate user data for the user’s browser history. The discovery was made by Thomas Reed of Malwarebytes Labs and @privacyis1st. As a result of the public outcry and industry condemnation, Apple was forced to pull the apps. At the time of writing, only Dr. Wifi and Network Scanner were still available for download. In the report published by Thomas Reed, much of their research centered around Dr. Antivirus and Dr. Cleaner. Upon analysis, it was revealed that Dr. Antivirus was incredibly limited in what, in terms of malware, it could detect. This is due in part to restrictions placed on app development by Apple and imposed on the App Store. As with many similar apps, detection rates were poor even when used to detect malware within the user folder, Dr. Antivirus was no different.

This viewed in isolation is no reason why the app would be removed from the app store. It was when the researchers discovered the app was using a method used by other another app to exfiltrate data that warning shots were fired. That app being Open Any File, discovered last year the app can only be described as a scam. The app would hijack the system’s functionality for handling documents that the user does not have an appropriate app to open. This is all done as a means for advertising other products. Open Any File had another surprise in that it upload a file named file.zip to the following URL: update.appletuner.trendmicro.com/1/upload/search_keywords/. On further analysis, the file contained the complete Safari browsing and search history, complete Chrome browsing and search history, complete Firefox browsing and search history, complete App Store browsing history.

trendmicro apps removed from the mac app store

Malwarebytes discovered that Dr. Anitvirus exfiltrated the exact same data as Open Any File. However, Dr. Antivirus also contained an interesting file named app.plist, which contained detailed information about every application found on the system. It can be argued that any antivirus offering needs to collect some browsing data to assist in malware detections and webpage blocking. That being said, it is very difficult to justify the exfiltration of the entire browsing history of all installed browsers regardless of whether the user has encountered malware or not. Further, there was nothing in the app to inform the user of this data collection, and there was no way to opt out of this data collection.
Dr. Cleaner to exfiltrated the same data as Dr. Antivirus minus the list of installed applications. While an argument exists for an antivirus to collect limited browsing data, there exists no good reason for a “cleaning” app to be collecting this kind of user data, even if the users were informed, which was not the case. This led Thomas Reed to conclude that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. Further, it is recommended that users treat the App Store as any other download location, meaning that it could be potentially dangerous.

Trend Micro’s Response

Often in these situations, it is safe to assume that a reputable company and its image is been abused to distribute malware. A brief look at Trend Micro would confirm this. Trend Micro Inc. is a publicly listed corporation headquartered in Tokyo, Japan, founded nearly thirty years ago, with almost six thousand employees worldwide, and revenue (2017) of ¥148.8 billion or approximately 1.3 billion USD. However, in a press release the company admitted that those three products – Dr. Cleaner, Dr. Antivirus and Dr. Archiver – together with Dr. Cleaner Pro, Dr. Battery and Duplicate Finder, all

“collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation”

In Trend Micro’s own words it was stated that the collection of data, “was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service)” Further the company went on to say,

“The data collected was explicitly identified to the customer in the data collection policy and is highlighted to the user during the install,”

This would seem contrary to Malwarebytes’ analysis stating that at no time were users informed of the data collection. In an article published by the Electric Light Company, the writer reviewed Trend Micro’s privacy statement to see if the policy statement allows for the taking and using of personal data. In the examples provided by the writer, it would appear that both the statement for European users and the other for global users make provisions for data exfiltration. Thus, it would seem that they make no secret of it and providing no opt-out for customers wishing to use their product and not “share” their data.

Data is Big Business

Earlier this year the Facebook/Cambridge Analytica scandal broke which called into question how our data is harvested and used. Given the public outcry and Facebook been summoned to the US Senate, not to mention a plummeting share price, one would think other companies would handle personal data with more care. The fact remains that data is still big business and unless they are caught and publicly shamed no change will happen. Fortunately, public perceptions as to the ethical handling of data are changing, this and the adoption of GDPR legislation will help to further prevent your data from been abused to turn a profit.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal