When you give an app access to your home directory on macOS, even if it’s an app from the Mac App Store, you should think twice about doing it. It looks like we’re seeing a trend of Mac App Store apps that convince users to give them access to their home directory with some promise such as virus scanning or cleaning up caches, when the true reason behind it is to gather user data—especially browsing history—and upload it to their analytics servers.
Today, we’re talking specifically about the apps distributed by a developer who claims to be “Trend Micro, Inc.”, which include Dr. Unarchiver, Dr. Cleaner and others. This issue was reported before by a user on the Malwarebytes forum, and in another report. Other researchers followed up and found that apps distributed by this “Trend Micro, Inc.” account on the Mac App Store collect and upload the user’s browser history from Safari, Google Chrome and Firefox to their servers. The app will also collect information about other apps installed on the system. All of this information is collected upon launching the app, which then creates a zip file and uploads it to the developer’s servers.
We were able to confirm these reports, at least with the Dr. Unarchiver app. After extracting a zip file with the app, it offered an option to “Quick Clean Junk Files”. Selecting “Scan” launched an open dialog with the home directory selected, this is how the app gets access to a user’s home directory, which it needs in order to collect the history files from browsers. After allowing access to the home directory, the app proceeded to collect the private data and upload it to their servers (we blocked that with a proxy). Scroll down for screenshots.
Inspecting the files the app archives and uploads to their servers revealed the full browser history for Safari, Google Chrome and Firefox, separate files specifically dedicated to storing the user’s recent Google searches on the same browsers and a file containing a complete list of all apps installed on the system, including information about where they were downloaded from, whether they are 64-bit compatible and their code signature.
