The Price of Free Software: Trend Micro’s apps exfiltrate your browser history

Several of the apps which Apple has recently pulled from the Mac App Store because of their theft of personal data were listed as being developed by Trend Micro. These include Dr. Cleaner, Dr. Antivirus, and Dr. Archiver.

In careful investigations by security experts including Thomas Reed of Malwarebytes Labs and @privacyis1st, it was discovered that they exfiltrate browser history, and in the case of Dr. Antivirus a detailed listing of all installed apps as well. As a result of the hullaballo developing on Twitter and elsewhere, Apple has eventually pulled all the App Store apps by Trend Micro, apart from Dr. Wifi and Network Scanner, which remain on offer as of 1800 on 10 September 2018.

Unlike another app which stole private data, Adware Doctor, which has also been taken down from the App Store, these three aren’t from a near-anonymous developer, but a multi-national corporation specialising in ‘cybersecurity’.

Trend Micro Inc. is a public-quoted corporation (KK) headquartered in Tokyo, founded nearly thirty years ago, with almost six thousand employees worldwide, and revenue (2017) of ¥148.8 billion. Surely, this isn’t the sort of company to be involved in the secretive collection of private data including full browser histories?

My first response was that the ‘Trend Micro’ caught doing this was simply a scam being run by someone else. The App Store apps Dr. Cleaner and others linked not to the main Trend Micro website with its red logo and professionally-written copy, but to a different domain, drcleaner.com, where the English is often more fractured, and the whole site rather more amateur.

I had this idea that maybe a former or current employee was taking advantage of their inside knowledge, and using it to their advantage. That was shattered, though, when @privacyis1st discovered that one of Trend Micro’s blogs had been promoting these products: Simply Security on 14 May 2018 published a ‘review’ of Dr. Cleaner, which also went out of its way to plug Dr. Antivirus and Dr. Unarchiver. At the end of this promotional article (it is nothing like a real editorial review), there are some FAQs, none of which mentions the browser history data which this app sends off to a remote server. Not only that, but some of the links and internet addresses used in the Dr. products are within Trend Micro’s main domain.

Then last night, Trend Micro came clean and admitted that those three products – Dr. Cleaner, Dr. Antivirus and Dr. Archiver – together with Dr. Cleaner Pro, Dr. Battery and Duplicate Finder, all “collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation”.

Trend Micro claims that this “was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service)”. It does not explain how such browser histories might improve an archive tool, battery condition monitor, or locator of duplicate files, though.

Trend Micro also claims that “The data collected was explicitly identified to the customer in the data collection policy and is highlighted to the user during the install”, although being App Store apps, the only installation process is run by the App Store app itself, and none of those investigating these apps seems to have noticed such warnings.

My next call was to Trend Micro’s privacy statement, to see what that had to say. It is here that it all makes sense at last. Although there are two versions, one for EU states with the GDPR and one for the rest of the world, they both say essentially the same.

“Because of the fast and constant evolving nature of online threats and malware, it is necessary to configure our products and services to constantly provide data and information from your devices to enable us to stay ahead of malicious activities and protect your devices and data. This data and information can also include personal data.”

So Trend Micro makes no secret of it: they collect browser histories and other personal data. And if you don’t like it, you shouldn’t use their products. I think that I may have already made a choice there.

In case you’re still in doubt about this, Wikipedia’s informative article about Trend Micro states:
“In September 2014, Trend Micro began a three-year partnership with INTERPOL wherein Trend Micro shared with the international police organization information on cybercrime threats via the company’s Threat Intelligence Service.”
And that privacy policy leaves us in no doubt:
“We do not share data that you provide to us, except with service providers that help us perform and improve services for you, with your consent, as necessary to perform our contractual obligations to you; in order to protect your, our and others’ rights and interests; in connection with a sale or reorganization of our business, if and to the extent permissible by law and as required to cooperate with any legal process and any law enforcement or other government inquiry. This means that we may provide information that we collect from you if that information is relevant to a court subpoena or to a law enforcement authority or other government investigation, provided this is permissible under applicable data protection law.”

However, if you were unfortunate enough to open the Privacy Policy on the Dr. Cleaner site, you’ll see an older document which doesn’t even mention capturing browser history, but states that the only data collected is “Real-time behavior inside product”, including “user’s operation inside product, such as launch product, quit product, click certain button, open certain product page”. You see what I mean about it being less polished than the regular Trend Micro site. It’s also less truthful, isn’t it?

When the Greeks left the citizens of Troy a free wooden horse, it was a gift that they couldn’t refuse. Maybe cheap and free software is the same today.

What can we do about this? In a few days, we should get greatly improved controls in macOS Mojave. But don’t – please don’t – just click your consent to anything you’re asked. When running in Mojave, the Trend Micro Dr. apps would be forced to gain Full Disk Access before they could even read your browser history. Just say no.

How the hell can you justify secretly exfiltrating the browser histories of someone who is just decompressing an archive using Dr. Archiver?

Finally, Trend Micro now says that it “has decided to remove this browser history collection capability from the products.”

7Comments

Add yours

1

Tony on September 11, 2018 at 6:10 pm

Caught with their hand in the till? Perhaps this will be a warning to others.

Their response (https://blog.trendmicro.com/answers-to-your-questions-on-our-mac-apps-store/) also says (in the update):
“Third, we believe we identified a core issue which is humbly the result of the use of common code libraries. We have learned that browser collection functionality was designed in common across a few of our applications and then deployed the same way for both security-oriented as well as the non-security oriented apps such as the ones in discussion.”

So they didn’t actually know what functionality was in the products they were shipping. That’s reassuring from someone shipping security software.

LikeLiked by 1 person
- 2
  
  hoakley on September 11, 2018 at 6:28 pm
  
  Thanks, Tony.
  Yes, they tacked that on as an afterthought.
  Like you just call a common code library function as routine whenever you build a new app. They take one of us as a fool – either their coders, or us.
  And as for a security company not being aware of what their code did, that speaks volumes for their other products.
  They have shot themselves not in the foot, but in the heart of their business. I hope they’ll be a lesson to others.
  Howard.
  
  LikeLike
3

Michael Tsai - Blog - A Deceitful “Doctor” in the Mac App Store on September 11, 2018 at 7:39 pm

[…] Howard Oakley: […]

LikeLike
4

Trend Micro Mac Apps Stole Users’ Browser Histories - TidBITS on September 14, 2018 at 3:10 pm

[…] Micro, a multi-national company with nearly 6000 employees and over $1 billion in annual revenues, was caught acting like a sleazy hacking crew. Three of Trend Micro’s free Mac apps—Dr. Cleaner, Dr. Antivirus, and Dr. Archiver—were found […]

LikeLike
5

Trend Micro Mac Apps Stole Users’ Browser Histories on September 14, 2018 at 6:25 pm

[…] Micro, a multi-national company with nearly 6000 employees and over $1 billion in annual revenues, was caught acting like a sleazy hacking crew. Three of Trend Micro’s free Mac apps—Dr. Cleaner, Dr. Antivirus, and Dr. Archiver—were found […]

LikeLike
6

alvarnell on September 15, 2018 at 1:48 am

There were actually several other of there apps pulled on Sunday and Monday because of this. Josh Long has details at https://www.intego.com/mac-security-blog/how-safe-is-the-mac-app-store-privacy-violating-apps-uncovered/.

LikeLiked by 1 person
- 7
  
  hoakley on September 15, 2018 at 5:28 am
  
  Thanks, Al.
  Yes, different apps have been progressively pulled from the store as time has passed. Currently, on the UK App Store at least, there are no remaining apps from Trend Micro at all. Whether they were all functioning as spyware, I don’t know – I doubt very much whether Apple or Trend Micro wanted any further embarrassment in any case.
  Howard.
  
  LikeLike

Share this:

Like this:

Related