Trend Micro: we didn't steal Chrome and Safari history data from Mac users

  • Liam Tung (CSO Online)
  • 11 September, 2018 06:52

Apple has removed four Trend Micro apps from the Mac App Store after researchers discovered the apps were secretly sending data to a server in China without users’ consent. 

The four apps from Trend Micro’s consumer line include Dr. Antivirus, Dr. Cleaner, Dr. Unarchiver, and App Uninstall. 

The apps were removed after rival security firm Malwarebytes, noted Apple-focussed security researcher Patrick Wardle, and independent security researcher Privacy_1st, raised an alarm over the app macOS app, Adware Doctor, which was found to have been sending browser history data from Safari, Chrome, and Firefox to a server in China. 

Beyond browser history, the app was found to have been transmitting user passwords in a ZIP archive, as well as a list of running processes and a list of previously installed apps to the server. 

The connection between Trend Micro’s consumer security apps and Adware Doctor isn’t clear cut, however a macOS app called Open Any Files! that displayed similar behavior -- and has now been removed -- was found to have been inexplicably promoting Trend Micro's Dr. Antivirus.

According to Malwarebytes Mac specialist, Thomas Reed, the Open Any Files app used an affiliate code to link to the App Store listing for Dr. Antivirus, which he described as “junk” because it failed to detect known malware in his tests.

Apple recently tightened it's App Store developer policy to bolster user privacy but its reputation for creating a safe haven for users may have also been tarnished by the incident. 

“This does just go to show that the Mac App Store cannot be trusted. I've said it multiple times, mostly in regard to all the fake anti-virus programs in the Mac App Store, and this is just further evidence,” wrote Reed.

The only Trend Micro apps remaining on the store currently are Network Scanner and Dr. WiFi. The removed apps had high user review ratings. 

Trend Micro refuted reports that it is siphoning user data off to an unidentified server in China and noted that the features that led to this conclusion are not included in its Windows products.  

“Reports that Trend Micro is “stealing user data” and sending them to an unidentified server in China are absolutely false,” the company said in a blog post

Trend Micro said it has completed an initial investigation of of the issue affecting its MacOS consumer products and found that it only took a “snapshot” of users’ browser histories for security purposes.  

“The results confirm that Dr Cleaner, Dr Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation. This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service).  

“The data collected was explicitly identified to the customer in the data collection policy and is highlighted to the user during the install. The browser history data was uploaded to a U.S.-based server hosted by AWS and managed/controlled by Trend Micro.”