Many people opt for top-tier iPhones over their Android counterparts, primarily due to the perceived enhanced security of Apple devices. Paradoxically, the robust security features of iPhones also attract hackers and cybercriminals seeking vulnerabilities to exploit.
Recent findings by security researcher Russell Kent-Payne at Certo Software reveal a novel method employed by hackers to circumvent Apple’s security checks. This exploit involves the use of third-party custom keyboards, allowing cybercriminals to clandestinely monitor iPhone users, capturing private messages, browsing history, and even passwords.
Certo Software initiated an investigation following reports of cyberstalking incidents where perpetrators demonstrated an uncanny knowledge of the target’s iPhone activity. The inquiry unveiled the presence of malicious third-party keyboards on all affected devices.
Traditionally, spying on iPhone users necessitates jailbreaking the device or gaining access to the iCloud account. However, this new attack distinguishes itself by eschewing these conventional methods. Instead, it weaponizes third-party keyboards, turning them into keyloggers on susceptible devices, enabling hackers to covertly record and transmit every keystroke made by the iPhone user.
While specific technical details are intentionally omitted to prevent aiding potential hackers, Certo Software outlines the attack’s general workings. The hackers exploit Apple’s TestFlight platform, designed for testing new iOS apps before their App Store release. By deploying malicious keyboards through TestFlight, hackers evade detection, as apps on this platform undergo less rigorous security scrutiny than those on the App Store.
Once the TestFlight app is installed on the target iPhone, hackers proceed to install a custom keyboard via the Settings app. They configure it to possess “Full Access” to the device and substitute the iPhone’s default keyboard with this visually indistinguishable custom version. The malicious keyboard captures all user input, transmitting the collected information to a command and control (C&C) server operated by the hackers.
To find out if a malicious keyboard is installed on an iPhone, users can follow specific steps outlined by Certo Software. In the Settings app, under General, Keyboard, and Keyboards, users should inspect the list of standard keyboards. If an unfamiliar keyboard with “Allow Full Access” activated is present, it may indicate a security concern. In such cases, users should remove unrecognized custom keyboards by accessing the Edit option, tapping the red minus button next to the unfamiliar keyboard, and selecting Delete.
For added protection, users may consider installing reputable Mac antivirus software. While there isn’t a direct equivalent for iPhones, tools like Intego Mac Internet Security X9 and Intego Mac Premium Bundle X9 can scan iPhones and iPads for malware when connected to a Mac via a USB cable.
