Hackers Bypass Apple’s Checks to Deliver Malicious Keyboards Used to Spy on Users: Report

iPhone users could be targeted by malicious keyboards that can bypass Apple’s stringent security checks to spy on user activity, according to a report. While apps that are distributed via the App Store are checked by Apple, these third-party keyboards are installed via another avenue that allows developers to test their apps on iOS. Once installed, these keyboards can be used to discreetly spy on a user and collect their sent messages, passwords, browsing history, bank credentials, and any other text entered on the phone.

Security firm Certo Software reports that third-party keyboards are being distributed by hackers as a form of ‘stalkerware’ — spyware apps or services used to monitor and stalk people online. While it is difficult to distribute these malicious apps via the App Store as Apple scans these apps before they are published, hackers have reportedly begun distributing these apps via TestFlight.

Apple’s keyboard (left) compared with the malicious keyboard
Photo Credit: Certo Software

Apple’s TestFlight service is an online platform that allows developers to invite people to test out unreleased software or run beta tests of their software, before it is published to the App Store. According to Certo Software, hackers are using the same platform to distribute malicious third-party keyboards to people, which can then be installed on an iPhone belonging to an unsuspecting partner, friend, or family member.

Once installed, the keyboard requires another setting to be enabled on the target’s iPhone that allows third-party keyboards to collect a user’s data. By default, no keyboard on iOS is allowed to access the Internet. Once this permission is enabled, the keyboard is able to transmit all keystrokes that are collected — including chat messages, passwords, notes, browsing history, OTP codes, bank credentials, and other information.

A screenshot of one of these keyboards shared by Certo Software illustrates how similar the malicious keyboard appears to Apple’s default keyboard, making it difficult for users to identify such apps on their smartphone. Data captured from the phone can be viewed by a stalker via a web portal, according to the firm.

Information captured from a target’s phone can be viewed via a web portal
Photo Credit: Certo Software

The security firm points out that Apple could implement a notification system — similar to WhatsApp’s new login alert that is shown a few hours later — to notify users when a new keyboard is installed on their smartphone.

The security firm says that users can protect themselves from these kinds of software by opening the Settings app and tapping General > Keyboard > Keyboards. You should see the name of the language you type in — for example, English (UK) — and Emoji. Any third-party keyboards you have installed, like SwiftKey or Gboard will also show up here. However, if you recognise any unknown keyboards here, you can use the Edit button to quickly delete it.

Another sign that unauthorised software has been installed on your phone without your permission is if you haven’t installed the TestFlight app on your phone but find it in your App Library or in the Settings app. You can also change your device passcode to ensure only you can access your phone, and seek support from online resources if you suspect you are a target of stalkerware on your devices, including your smartphone or computer.