What is „com.dsoffer.WhatsupKeys.WhatsAppKeyboard“ ?

[ALN]

Hello everybody,

I just came across a crash report on my iPad running iOS 12.1.4 with the bundle name „com.dsoffer.WhatsupKeys.WhatsAppKeyboard“. No results on any search engines. Anyone know this?

The only keyboard apps I installed are: Clips, Phaseboard, PadKeys, MyScript Stylus.

In general, I‘m very security concered and don‘t install much apps, only what I need and after research.

Thanks in advance.

ALN

[treed]

I'm moving this to the Malwarebytes for iOS forum, since this is not a Mac-related question.

It's also not really a Malwarebytes for iOS question, really, since it's not possible to scan iOS devices for malware, so we can't do that. However, this is very unlikely to be in any way related to malware. It's likely to be due to one of those keyboard apps you have installed. One may offer a special keyboard for WhatsApp, and that's what you're seeing.

Please note that third-party keyboards are a security concern, as using them gives them the potential ability to capture everything you type, including sensitive information like passwords or credit card numbers. For those who are concerned with security, I would not recommend using third-party keyboards.

[ALN]

Thank you, Thomas. I know about the security issues about keyboard apps but I only use them for very specific tasks, no full access and internet access is denied. Thank you for your valuable advice anyway.

The interesting thing about this is, that none of any apps I installed provides something equal. I do not use WhatsApp and there is no settings in any of my apps which offer such a feature to switch. I‘m now researching this as I don‘t know which one causing this. As this popped up this week and I use these apps now for very long, I don’t know where it is hiding. So, if someone has a similar experience and finds something, I thought this place can help us all.

Thanks.

ALN

[ALN]

Addendum:

FWIW, as I mostly use Apple‘s internal keyboard, the time of the crash report points somehow to a time when I used Apple‘s emoji keyboard (I rarely use emojis.) Can this be related to this? Although, com.dsoffer is very weird and the URL (dsoffer.com) does not exist. Anyway, hopefully helpful for everybody.

Cheers

ALN

[treed]

The "com.dsoffer" bit shows that it's definitely not related to any Apple keyboards, so it's got to be one of the third-party ones. I'd also say that that sounds like the sort of domain that is typically associated with adware on the Mac, so I wouldn't use whatever app is using that, but I don't know what app that might be. (iOS makes investigating this kind of thing very difficult.) It seems likely that it's one of your third-party keyboards, but I can't say which.

Since you've been using those keyboards for a while, but the behavior just started recently, was an update for one of those keyboards installed recently?

[ALN]

Thomas,

Thanks for your reply.

First, it is only a crash report from a week ago. Second, an app can be named anything but can be intented for different things, as you know. So, it makes it really hard to classify. I remember only PadKeys (which is a Computer-like keyboard with ALT and cursor keys etc.) having an update, but any app could run for months without surfacing. The problem is, uninstalling something doesn’t yield more than false confidence, as you can’t determine on iOS if this specific app is still installed, only wait for next crash. But what if doesn’t happen. So, I think it‘s origin must be proved somehow.

Additionally, I have no ads, no suspicious network connects. I have installed disconnect.me, permanently monitoring the network and blocking everything I don’t need for operation. So, I would notice any suspicious activity other than the normal ad-sites which are blocked. And these are very few. (I always try to research a domain, who is behind, its purpose etc. before making decisions.)

Anyway, thank you for your time and effort. If you ever come up with more ideas, you are more than welcome.

Cheers

ALN

[ALN]

Update:

dsoffer is an abbreviation for a developer named Daniel Soffer offering a Math keyboards app and Phraseboard, the latter I have installed. The name WhatsupKeys is misleading as Phraseboard offers only buttons for custom text (a TextExpander as a keyboard) which is inserted upon click.

The whole smoke came up b/c his bundle ID com.dsoffer is not a valid domain . Although he is not a villain having invalid domain as bundle and providing an inappropriate app name is more than annoying.

Sorry for the mess.

ALN

[treed]

Thanks for the update! That answers that.  

[ALN]

And serves as a marvelous example how not to do it for your next security seminar.

1. ds offer ... sounds like adware
2. com.dsoffer an ID which is invalid as a domain
3. WhatsupKeys ... intentionally misspelled to give people false confidence?
4. com.dsoffer.WhatsupKeys.WhatsAppKeyboard for an app named Phraseboard (2x diff. spelling for WhatsApp!)

A lesson to learn!

It‘s a pity that Malwarebytes and Apple don’t have a strategic partnership. MB could deliver the technology and Apple could integrate it with the OS. And everybody would win. Apple had some strategic partnerships in the past. It is really sad.

[alvarnell]

When I checked on this last night I did find that dsoffer.com was a registered as a valid domain for one day and that it does have a link to adware: https://www.webdoctx.com/www.dsfoffer.com.

[ALN]

Thank you, Alvarnell, for you time and effort on this. That‘s bad. It seems he‘s got hacked and time for me to say goodbye to his apps. This is indeed a valuable information and should be kept on focus.

Cheers

ALN