Hackers outsmart Apple to install keyloggers on iPhones

Hackers outsmart Apple to install keyloggers on iPhones،

iPhones are generally considered more secure than Android phones, mainly because currently iOS users can only download apps through the App Store. Apps hosted on the App Store are verified by Apple and only apps deemed safe are approved. Cybercriminals may have found a way to outsmart Apple.

Apple offers an app called TestFlight for developers who want to test their apps. Up to 10,000 people can download TestFlight apps, which are not subject to the same review as final versions of the apps.

British cybersecurity company Certo software found that cybercriminals are taking advantage of these lax policies to spy on iPhone users using third-party custom keyboards.

They will be your own people

Certo has discovered that online criminals are offering keylogger services to those who want to keep tabs on someone they know. For just $30, people can secretly install a malicious app with a third-party keyboard on someone's phone.

Once the carrier app is downloaded, the third-party keyboard can be installed through the Settings app and configured to give “full access” to an iPhone. The default iPhone keyboard is then replaced by the custom version.

The keyboard equipped with a keylogger records and sends all inputs made by the victim. This allows the hacker and his accomplice to access messages, names of websites visited by the target, two-factor authentication codes and passwords.

Because the apps are distributed through TestFlight, they avoid the strict process that apps destined for the App Store go through.

Default iPhone Keyboard vs Custom Keyboard with Keylogger

Custom keyboards look like the iPhone's default keyboard, so most people won't realize there's anything fishy going on. The only way to check them is to go to Settings, then tap General, then select Keyboard, then go to Keyboards.

If you see a third keyboard besides “English (US)” and “Emoji” that you don't remember having installed, you need to get rid of it by tapping “Change” and selecting “Remove.”

Certo became aware of this campaign when she heard about several incidents of cyberstalking in which the harassers knew everything a victim had typed on their phone.