The Price of Free Software: Trend Micro’s apps exfiltrate your browser history

Several of the apps which Apple has recently pulled from the Mac App Store because of their theft of personal data were listed as being developed by Trend Micro. These include Dr. Cleaner, Dr. Antivirus, and Dr. Archiver.


In careful investigations by security experts including Thomas Reed of Malwarebytes Labs and @privacyis1st, it was discovered that they exfiltrate browser history, and in the case of Dr. Antivirus a detailed listing of all installed apps as well. As a result of the hullaballo developing on Twitter and elsewhere, Apple has eventually pulled all the App Store apps by Trend Micro, apart from Dr. Wifi and Network Scanner, which remain on offer as of 1800 on 10 September 2018.

Unlike another app which stole private data, Adware Doctor, which has also been taken down from the App Store, these three aren’t from a near-anonymous developer, but a multi-national corporation specialising in ‘cybersecurity’.

Trend Micro Inc. is a public-quoted corporation (KK) headquartered in Tokyo, founded nearly thirty years ago, with almost six thousand employees worldwide, and revenue (2017) of ¥148.8 billion. Surely, this isn’t the sort of company to be involved in the secretive collection of private data including full browser histories?


My first response was that the ‘Trend Micro’ caught doing this was simply a scam being run by someone else. The App Store apps Dr. Cleaner and others linked not to the main Trend Micro website with its red logo and professionally-written copy, but to a different domain,, where the English is often more fractured, and the whole site rather more amateur.

I had this idea that maybe a former or current employee was taking advantage of their inside knowledge, and using it to their advantage. That was shattered, though, when @privacyis1st discovered that one of Trend Micro’s blogs had been promoting these products: Simply Security on 14 May 2018 published a ‘review’ of Dr. Cleaner, which also went out of its way to plug Dr. Antivirus and Dr. Unarchiver. At the end of this promotional article (it is nothing like a real editorial review), there are some FAQs, none of which mentions the browser history data which this app sends off to a remote server. Not only that, but some of the links and internet addresses used in the Dr. products are within Trend Micro’s main domain.


Then last night, Trend Micro came clean and admitted that those three products – Dr. Cleaner, Dr. Antivirus and Dr. Archiver – together with Dr. Cleaner Pro, Dr. Battery and Duplicate Finder, all “collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation”.

Trend Micro claims that this “was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service)”. It does not explain how such browser histories might improve an archive tool, battery condition monitor, or locator of duplicate files, though.

Trend Micro also claims that “The data collected was explicitly identified to the customer in the data collection policy and is highlighted to the user during the install”, although being App Store apps, the only installation process is run by the App Store app itself, and none of those investigating these apps seems to have noticed such warnings.

My next call was to Trend Micro’s privacy statement, to see what that had to say. It is here that it all makes sense at last. Although there are two versions, one for EU states with the GDPR and one for the rest of the world, they both say essentially the same.

“Because of the fast and constant evolving nature of online threats and malware, it is necessary to configure our products and services to constantly provide data and information from your devices to enable us to stay ahead of malicious activities and protect your devices and data. This data and information can also include personal data.”



So Trend Micro makes no secret of it: they collect browser histories and other personal data. And if you don’t like it, you shouldn’t use their products. I think that I may have already made a choice there.

In case you’re still in doubt about this, Wikipedia’s informative article about Trend Micro states:
“In September 2014, Trend Micro began a three-year partnership with INTERPOL wherein Trend Micro shared with the international police organization information on cybercrime threats via the company’s Threat Intelligence Service.”
And that privacy policy leaves us in no doubt:
“We do not share data that you provide to us, except with service providers that help us perform and improve services for you, with your consent, as necessary to perform our contractual obligations to you; in order to protect your, our and others’ rights and interests; in connection with a sale or reorganization of our business, if and to the extent permissible by law and as required to cooperate with any legal process and any law enforcement or other government inquiry. This means that we may provide information that we collect from you if that information is relevant to a court subpoena or to a law enforcement authority or other government investigation, provided this is permissible under applicable data protection law.”


However, if you were unfortunate enough to open the Privacy Policy on the Dr. Cleaner site, you’ll see an older document which doesn’t even mention capturing browser history, but states that the only data collected is “Real-time behavior inside product”, including “user’s operation inside product, such as launch product, quit product, click certain button, open certain product page”. You see what I mean about it being less polished than the regular Trend Micro site. It’s also less truthful, isn’t it?

When the Greeks left the citizens of Troy a free wooden horse, it was a gift that they couldn’t refuse. Maybe cheap and free software is the same today.

What can we do about this? In a few days, we should get greatly improved controls in macOS Mojave. But don’t – please don’t – just click your consent to anything you’re asked. When running in Mojave, the Trend Micro Dr. apps would be forced to gain Full Disk Access before they could even read your browser history. Just say no.

How the hell can you justify secretly exfiltrating the browser histories of someone who is just decompressing an archive using Dr. Archiver?

Finally, Trend Micro now says that it “has decided to remove this browser history collection capability from the products.”