Trend Micro security apps caught sharing data stolen from Mac OS users

Trend Micro security apps kicked off of the Apple's App Store because of the data tracking issue

Security applications by Trend Micro removed from the App Store for having data collection capability.

Recently, Apple's App Store has removed several apps developed by Trend Micro, including Dr. Cleaner, Dr. Antivirus, and App Uninstall. The main reason – these anti-malware tools developed by a Japan-based security company were discovered stealing data from their users.

The first one who spotted such disrupting activity was the security researcher Patrick Wardle from Privacy First^[1]. He documented the whole operation of these security apps that were supposedly helping users remove adware and malware from Mac devices. The apps were also found to track and collect various data from their users, including browsing history. Once obtained, this information was transmitted to a server on the internet in a password-protected archive.

It appears that immediately after these apps were installed on the system, the data collection was started. Additionally, this information was sent to the developers' servers which, according to numerous speculations, was located in China. According to Wardle, the most disturbing thing is the fact that getting applications from official sites and stores does not seem beneficial anymore. However, it looks that Apple does a miserable job sometimes when checking all submitted applications.

Trend Micro confirmed this issue. According to the statement^[2], the tracking of users' browsing history was a part of the code:

Dr Cleaner, Dr Cleaner Pro, Dr Antivirus, Dr Unarchiver, Dr Battery, and Duplicate Finder collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation. This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service). The data collected was explicitly identified to the customer in the data collection policy and is highlighted to the user during the install. The browser history data was uploaded to a US-based server hosted by AWS and managed/controlled by Trend Micro.

Company fixes the issues related to apps' security and privacy

In the official report that Trend Micro released after the first discovery, the company claims that they are taking actions and promises to update their products. The report followed an investigation on all of their products and privacy concerns. According to Trend Micro, this browser history collection^[3] feature has already been removed. Also, all the information that has already been stored in the US-based AWS server was deleted.

As the statement comes to an end, the company discloses:

We have learned that browser collection functionality was designed in common across a few of our applications and then deployed the same way for both security-oriented as well as the non-security oriented apps such as the ones in discussion. This has been corrected.

Not the first application removed from the light due to the data tracking

Days before the Trend Micro incident, another legitimate application was deleted for collecting data from users. On September 7, Apple deleted Adware Doctor^[4] from their store after it was found tracking and stealing various personal information from its users. This $4.99 app was one of the highest selling products in the App Store and had multiple claims about protecting users from malware and adware. However, while working on the browser, it silently collected data related to users' browsing. The issue was discovered by the same researcher Patrick Wardle who reported the app for Apple at the time. However, the company did nothing until that Friday.

These issues are not related since app developers are not related in any way. However, these cases are not the first ones nor the last. While they are not as harmful as malware used to steal credit card data^[5], the problem is that unsafe apps are approved and allowed to distribute themselves on the App Store.