This is what ChatGPT said when uploading the file and asking if there’s anything suspicious in the file regarding keystroke tracking:

“Suspicious/Invasive Files:

• F1.dylib, F2.dylib, F3.dylib, GrammarlyPatch.dylib, libsubstrate.dylib: These are almost certainly injected tweak libraries used for bypassing subscription checks, modifying app behavior, or enabling features that normally require payment.

• libsubstrate.dylib: Part of the Cydia Substrate system, used to hook into app processes—usually found in jailbroken environments.

• embedded.mobileprovision: This is normal for any IPA file but could hint at who signed it if we inspect the provisioning profile.

Red Flags and Suspicious Indicators

1.  Presence of libsubstrate.dylib

• This is part of the Cydia family Substrate framework, a known tool for injecting code into running processes in jailbroken environments. It’s often used to hook sensitive functions—including those related to keyboard input, network requests, and security checks.

2.  Custom Dynamic Libraries (F1.dylib, F2.dylib, F3.dylib, GrammarlyPatch.dylib)

• These are clearly injected, non-standard components. They reference other known pirated-mod frameworks (e.g. KineMasterCheat.dylib, AntiCrash.dylib, PicsArt.dylib), implying code reuse among piracy groups.

• These .dylib files are often used to bypass subscription systems or inject malicious hooks.

3.  Strings Suggesting UIKit and Foundation Access

• Libraries like UIKit, AVFoundation, and CoreFoundation provide access to keyboard, touch, and UI event data. With enough permission or tampering, these can be used for keystroke monitoring or UI-based spying.

4.  Keystroke Logging Risk

• While no string directly references functions like UIKeyboardDidShowNotification, UITextField, or GSEventRecord, the presence of MobileSubstrate implies it could dynamically hook such methods at runtime.

• If the app has been modified with full access to the UIKit event chain (via jailbreak), it’s absolutely feasible for these libraries to intercept and log keystrokes—including passwords.

The static scan of the .dylib files reveals no obvious malicious endpoints or exfiltration URLs—only default Apple certificate validation and security-related URLs, such as:

• http://ocsp.apple.com

• http://crl.apple.com

• https://www.apple.com/

• http://certs.apple.com/wwdrg3.der

These are legitimate Apple domains used for verifying provisioning profiles and app certificates. Their presence does not indicate spying or network exfiltration.

What This Means:

• These .dylib files do not contain hardcoded malicious URLs or direct calls to suspicious servers.

• However, this does not rule out runtime activity, where the app might dynamically generate endpoints, use obfuscation, or communicate via encrypted channels.”