iOS Device Support Keylogger

Hello,

I recently ran a virus/malware scan on my dev machine using ClamAV, this was run via macOS Terminal using the 'clamscan' function.

Everything came back okay except a keylogger in the ProVideo Framework for physical iOS Test Devices. Please see below for 'clamscan' output:

/Users/username/Library/Developer/Xcode/iOS DeviceSupport/iPad8,11 17.4 (21E219)/Symbols/System/Library/PrivateFrameworks/ProVideo.framework/ProVideo: Unix.Keylogger.Macos-10023932-0 FOUND

My understanding is that '/Library/Developer/Xcode/iOS DeviceSupport/' is where Xcode keeps the files related to physical test devices that are required for debug. There were 3 Instances of this keylogger, all of which corresponded to physical devices I own and iOS Versions that I have installed / were installed.

Can anyone verify if 'Unix.Keylogger.Macos-10023932-0' is a valid file that ClamAV is incorrectly detecting as malicious?

If it is a valid debug file provided by Apple, it seems strange that it's located in the ProVideo Framework. I couldn't find any documentation online about this so any information would be appreciated.

At this stage I have deleted the contents of '/Library/Developer/Xcode/iOS DeviceSupport/', my understanding is that these symbols are only transferred to the system when I test software via Xcode on a physical device and will not reproduce until I do that again. To me it's unclear if perhaps this keylogger is present on my iOS Device and is being transferred to the Mac via Xcode? Or somehow it is just appearing in this folder?

Thanks!

Up vote post of bradley_7 Down vote post of bradley_7
250 views
Posted by
bradley_7
Reply
Add a Comment

Replies

It shows up in a Google search on https://lists.archive.carbon60.com/clamav/virusdb/89270?page=last

Posted by
darkpaw
Up vote reply of darkpaw Down vote reply of darkpaw
Add a Comment

I was in contact with 'Apple Developer Support - Development and Technical' about this issue, they say they can not help and to wait for an Apple Engineer to engage on this forum?

Unfortunately, we are unable to provide support for the issue you are facing. Apple Developer Program Support Team provides administrative-level support to members of the Apple Developer Programs.

As mentioned previously, please refer to the Developer Forums to engage with Apple engineers and other developers.

I have posted the file that shows as a Keylogger to VirusTotal: https://www.virustotal.com/gui/file/13a83bec5ada72c38d4da13657f95acc9682bab8ca14671d00b0941779236468

Only ClamAV and Google seem to detect it as a Keylogger. Not sure if this is a false flag or it is indeed a problem. Again, I can confirm that these files only exist in /Users/username/Library/Developer/Xcode/iOS DeviceSupport/. If you delete the contents of this directory they are gone and not appear again until you test with Xcode using a physical iOS Device. This implies that files are present on iOS/iPadOS and are transferred across for debug. So again, I'm not sure if the iOS Devices are compromised or if this is a false flag.

Any help from Apple would be appreciated!

Posted by
bradley_7
Up vote reply of bradley_7 Down vote reply of bradley_7
Add a Comment