Trend Micro apps labeled spyware, banned from Mac app store

Trend Micro is facing fierce criticism this week.

It’s alleged that several of its consumer macOS apps have been collecting personal data without permission—or at least, without informed consent. And the security company’s public statements covered the full gamut of aggressive denials, sorry-not-sorry “apologies,” and a full-on mea culpa.

Oops. But how on earth could it happen? In this week’s Security Blogwatch, we’re bang on Trend.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Top 5 DJ Mistakes 

Application Security Research Update: The State of App Sec in 2018

Anti-malware apps were … malware?

What’s the craic? Guilherme Rambo can’t quite believe his eyes: Mac App Store apps caught stealing and uploading browser history:

When you give an app access to your home directory on macOS, even if it’s an app from the Mac App Store, you should think twice. [In this case] apps distributed by … Trend Micro, Inc., which include Dr. Unarchiver, Dr. Cleaner and others.

[The apps] collect … the user’s browser history from Safari, Google Chrome and Firefox … separate files specifically dedicated to storing the user’s recent Google searches [and] information about other apps installed on the system … including information about where they were downloaded from, whether they are 64-bit compatible and their code signature. All of this information is collected upon launching the app, which then creates a zip file and uploads it to the developer’s servers.

The certificate issued for the domain drcleaner.com is registered as Trend Micro, Inc.

“Dr. Unarchiver” [was] the no. 12 most popular free app in the US Mac App Store. This is a massive privacy issue.

Where did that data go? Thomas Reed reads Mac App Store apps are stealing user data:

Some of this data is actually being sent to Chinese servers, which may not be subject to the same stringent requirements around storage and protection of personally identifiable information like organizations based in the US or EU.

Open Any Files … We’ve seen a number of different scam applications like this, which hijack the system’s functionality … when the user opens an unfamiliar file, this app (and others like it) opens and promotes some antivirus software. [But] it was uploading a file [to] update.appletuner.trendmicro.com [containing] browsing and search history.

Dr. Antivirus … we observed the same pattern of data exfiltration as seen in Open Any Files [but] it also contained an interesting file named app.plist, which contained detailed information about every application found on the system. … There was nothing in the app to inform the user about this data collection, and there was no way to opt out.

Dr. Cleaner … We observed the same data being collected … minus the list of installed applications. There is really no good reason for a “cleaning” app to be collecting this kind of user data, even if the users were informed. … We found that the drcleaner[dot]com website was being used to promote these apps. WHOIS records identified an individual living in China, and having a foxmail.com email address.

But what of Apple’s involvement? Howard Oakley speaks of App Store Eavesdroppers:

Apple’s App Store [is] in most parts … like a jumble sale, full of items of doubtful origin, but if you look hard enough there are some real gems. There’s no sort of quality control, it’s well nigh impossible to navigate, and frankly an embarrassment to a premium brand like Apple.

I am stunned that Apple … is continuing to sell or give away … four products [that] security researchers have demonstrated break Apple’s own rules, and grossly abuse the user’s privacy. This after the Keynote at WWDC 2018 pronounced:

“We believe that your private data should remain private … and we think you should be in control of who sees it.”

Can the App Store survive? … Haven’t users finally lost faith in its bland assurance that its apps are screened and checked by Apple, and are ‘safe’?

How many others in the store might prove similarly malicious? … The App Store remains a big problem for Apple, and until it addresses these problems will continue to tarnish the whole brand.

What was it that Tim Cook said about privacy-violation being the “equivalent of cancer”? Patrick Wardle calls this type of behavior deceitful:

You probably trust applications in the Official Mac App Store. And why wouldn't you?

It's tempting to wonder if Apple's 30% cut of each sale of this massively popular app has lead to such egregious inaction. And does it not seem that their laudable statements on supporting user privacy, are sadly only words?

So what does Eva Yi-Hwa Chen’s mob have to say for itself? Two or more anonymous spokesdroids offer Answers to Your Questions on Our Apps:

Reports that Trend Micro is “stealing user data” and sending them to an unidentified server in China are absolutely false.

Dr Cleaner, Dr Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation. This was … done for security purposes (to analyze whether a user had recently encountered adware or other threats).

The potential collection and use of browser history data was explicitly disclosed [and] accepted by users for each product at installation. … The browser history data was uploaded to a U.S.-based server.

We apologize to our community for concern they might have felt and can reassure all that their data is safe and at no point was compromised. … We have completed the removal of browser collection features across our consumer products in question. … We have permanently dumped all legacy logs.

We believe we identified a core issue which is humbly the result of the use of common code libraries. … This has been corrected.

We’ve always aimed for full transparency. … This incident has highlighted an opportunity for further improvement. To that end, we are currently reviewing and re-verifying the user disclosure, consent processes and posted materials for all Trend Micro products.

Wow! From aggressive denial, through sorry-not-sorry “apology,” to full-on mea culpa in 48 hours? Mikko Hypponen never sleeps: [You’re fired—Ed.]

Bad day for Trend Micro. Most of their Mac OS X apps have been kicked out by Apple after it was discovered they were collecting and sending out private information.

In an update, Trend announces that they have today permanently deleted the data they had collected from the users systems. What happens now to cases where users have issued a GDPR [subject access] request for their data?

Is it time for an epic Twitter rant? Gary Williams—@Garyw_—obliges:

When security companies breach user trust, something is seriously wrong. @TrendMicro need to suffer for this.

So if I read that right, it's a one time collection that is absolutely required by the product except that they can just remove that "feature" from the product. … Something doesn't add up.

One of the products that Trend Micro collected browser history for was "Dr. battery" an app for the mac that monitored battery health. Why does such an app need that information? [It] had no legitimate reason to collect such data.

They are now saying that they used a shared library that just "happened" to have this functionality. What? No one spotted this? … I wonder if any dev at trend raised this as a concern?

Words fail me. How can you call yourself a security company? … The cert used has a ton of SAN's in it. First one I picked off the list. … For a company that is supposedly a security company, this is inexcusable. What other "minor configuration" issues do they have on their sites? in their databases and so on? [A] litany of issues.

Companies need to consider adding IT folk with security knowledge to the board.

But isn’t this just a one-off issue? Erwin Geirnaert and friends think not:

In 2013 … what we found is … Trend Micro scans any webpage you visit in their datacenter, including protected pages like Dropbox links, financial pages.

They also download the entire page. So if you receive a link to confidential information, for example your salary slip or an Excel with your customers that is not protected with authentication but only protected with a session key in the URL they have full access to the data.

And this was confirmed by the Belgian journalist @koenvervloesem.

Mark Mark Koek’s words:

what they also do is visit the webpage itself.

We see it on phishing tests — if a victim uses Trend Micro, there's a quick hit from TM on our phishing page. So they definitely know what you're browsing.

And attackers know what AV you're using. :)

And Hank Nussbacher calls it old news:

Back in 2013 I discovered that Trendmicro anti-spam hashserver was exfiltrating data via DNS like: xxxxxxxx.yyyyy.hashserver.cs.trendmicro.com

Meanwhile, this Anonymous Coward isn’t surprised to see an anti-malware company pushing spyware:

Anti-virus vendors are the source of the majority of the world's computer viruses. How else do you think they stay in business?

The moral of the story? Audit the apps on your BYOD Macs. And never assume a “curated” App Store will protect you from malware.

And finally …

Top 5 DJ Mistakes

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Andrew Weber (cc0)

Topics: Security