treed

Since this topic started, we've determined that this is not being caused by any malware installed on the system. It is caused by being tricked into allowing notifications from a scam website in Safari. Ventura now displays these in System Settings -> Notifications in the form seen in your screenshot, which is very unfortunate. You will need to change the item in your screenshot from Allow to Deny in Safari's settings. You can also remove it after doing so, if you like, though leaving it in the list will ensure that it continues to be denied that capability. In System Settings, control-click the "ask you" item and choose Reset Notifications, then confirm. That will remove it from the list.

Ahh, I assumed you had done that already. That's needed to ensure the call blocking extension gets loaded, which makes it appear in the Settings app.

On iOS 16, it's there, but is not in exactly the same place as shown in the screenshot. Scroll down a little and you should see it. Also, make sure you have activated your Premium license in the app before trying this. If you haven't done that yet, you won't be able to enable it.

I don't know what you mean by "keystroke encryption." Can you explain exactly what problem you're trying to solve? Be aware that iOS gives apps very limited access to user activity, such as what is being typed on the on-screen or any connected external keyboard. The only thing that could do any kind of keystroke logging activity would be the use of a third-party on-screen keyboard.

Please see the following topic that I just created: We're seeing this issue with other folks, and I believe this is probably what's going on in your case.

We've noticed a number of people on Ventura having a problem where the Malwarebytes installer will fail. This appears to be due to a bug in Ventura relating to Apple's Installer app not having the needed permissions to open the Malwarebytes installation file. Some people have reported success by moving the Malwarebytes installer package file to a different location before installing. If it's in your Downloads folder, try moving it to some other location, such as your home folder or the desktop. If that doesn't work, you will probably need to give the "Full Disk Access" permission to the Installer app. To do this, follow these steps: Open the System Settings app Click on "Privacy & Security" in the list on the left side of the System Settings window Click on "Full Disk Access" in the list on the right side of the System Settings window Click the + button near the bottom of the window to add an item to the Full Disk Access list You will be prompted for your login password or Touch ID authorization; provide that to continue An "open" window will appear. To locate the Installer app: Press command-shift-G In the search window that opens, paste the following path and press return: /System/Library/CoreServices/Installer.app With the Installer.app item selected, click the Open button Once you have done this, you should see Installer added to the list. At this point, you can close System Settings and try to install Malwarebytes again.

I'm glad to hear that!

This looks like a trend we're seeing these days with browser notifications from a website. This would not be due to anything malicious installed on your computer, and instead means that you were tricked into allowing notifications from a scam website in Safari. If you're on macOS Ventura, open System Settings, then click Notifications. Under Application Notifications, find one that mentions McAfee and that uses the System Settings icon (shown in your screenshot above). Click on that one, then turn off the master switch at the top to allow notifications for that item. If you are not using Ventura, you'll need to go into Safari's settings, within the Safari app, and click Websites -> Notifications, then remove the item from there.

Let us know if the suggestions on the page Al has linked to don't work. It's likely that what you're seeing are just the after-effects of some kind of adware. We can remove the adware, but can't reverse some of the changes adware makes without risking the potential corruption of your browser settings, or loss of legit settings. (Also, Apple and Google have made efforts to make it more difficult to manipulate the settings in Safari and Chrome.) However, there's no such thing as 100% perfect detection, so it's always possible we've missed something. In such a case, we've got a script that can collect some information from your machine to help us identify potentially missed items.

I'm glad to hear that.

It looks like Apple's Installer app was unable to open the Malwarebytes installer package on your system. We've noticed a number of people on Ventura having this problem, seemingly due to a bug in Ventura relating to Installer not having the needed permissions to open the file. I believe this is what's happening on your machine as well. Some people have reported success by moving the Malwarebytes installer package file to a different location before installing. If it's in your Downloads folder, try moving it to the desktop. If that doesn't work, you will probably need to give the "Full Disk Access" permission to the Installer app. To do this, follow these steps: Open the System Settings app Click on "Privacy & Security" in the list on the left side of the System Settings window Click on "Full Disk Access" in the list on the right side of the System Settings window Click the + button near the bottom of the window to add an item to the Full Disk Access list You will be prompted for your login password or Touch ID authorization; provide that to continue An "open" window will appear. To locate the Installer app: Press command-shift-G In the search window that opens, paste the following path and press return: /System/Library/CoreServices/Installer.app With the Installer.app item selected, click the Open button Once you have done this, you should see Installer added to the list. At this point, you can close System Settings and try to install Malwarebytes again.

The last thing the tool does before exiting is explain the password and tell you what it is. The password is "M@lwarebytes", and it exists only to prevent e-mail systems or other online storage from potentially blocking the file due to malware, as one of the functions of the data it collects is to identify potential undetected malware on the system. The password prevents the file from being intercepted, unzipped, and scanned in transit. You do not need to unzip the file in order to share it with me. Simply send the zip file itself. You're free to open the file to look at what it contains before sending, which is why we make sure to provide you with the password.

It was moved to the Malwarebytes for Mac Support Forum, since this isn't a malware removal question. You can also see the forum once you're on this page by looking near the top of the page. Without more info, we would need to see your install logs. Please follow the instructions at the following link to download our support tool, run it, and attach the file it generates to a direct message to me. https://support.malwarebytes.com/hc/en-us/articles/360038519834-Upload-logs-to-your-ticket-using-the-Malwarebytes-Support-Tool-for-Mac Once I have that information, I can investigate to see what's going on.

I moved this to the correct forum. Can you post the exact text of the error message you're seeing?

Okay, as I suspected, this isn't an iPhone hack, it's an online account hack. If an attacker was able to gain access to your e-mail address, they could use that access to take over other accounts, doing things like intercepting e-mailed password reset links or codes and whatnot. Once they were able to take over your T-Mobile account, they could set up SMS forwarding and gain access to 2FA codes. For a detailed description of how this happened to a journalist named Mat Honan, see: https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ Unfortunately, recovery from something like this is not easy or pleasant. First, you need to regain access to your e-mail address. You may need to talk to your e-mail provider about that, and you'll definitely want to set up 2FA on your e-mail if you didn't already have it. Since the attackers have access to your SMS, you'll need to choose to use an authenticator app instead, if that is an option. Also, if your e-mail system has "security questions" for account recovery, with questions like "what's your mother's maiden name" or "what street did you grow up on," be aware that providing truthful answers to these is a bad idea. Much of this information is in the public domain, for someone determined enough to seek it out. Use fake answers, and store them in a password manager. For example, you may choose for your mother's maiden name to be "dfkensoaienfioseisni." Just don't reuse that "name" on another site! (And don't use that particular name regardless, since it's on a public forum.) Be sure to change your e-mail account password to something long and strong. A lengthy randomly-generated password stored in a password manager is perfect. Make sure not to use the same password anywhere else! Last but not least, check your e-mail account for any e-mail forwarding or account delegation that may have been set up. Different e-mail systems will have this in different places, but it's an easy way for an attacker to continue intercepting your e-mail, even after a password reset. If you're not sure whether this exists or how to find it, talk to your e-mail provider. Once you've regained control of your e-mail, you'll need to go through all your other accounts - probably starting with your T-Mobile account - and go through the same steps: reset the password to something long and strong (and not used anywhere else), set up 2FA via an authenticator app, remove any SMS-based 2FA, and change or remove (if possible) the answers to any security questions. You'll also need to have a discussion with T-Mobile about removing the SMS forwarding from your account, and making sure it doesn't get set again. Ask them about using a PIN code or passphrase to protect access to your account over the phone. If I call my cell phone provider, that's the first thing they want to know before they'll talk to me. This helps to prevent someone from calling in and pretending to be you to start an account recovery process (most of the time, at least... assuming the support agent is doing their job.)

I don't know what "digits line" refers to. If this is some third party app that is doing SMS forwarding, you should uninstall it and contact the developer of that app to see if your account with them has been compromised. If this is some app offered by T-Mobile, I'd expect them to offer some suggestions. Bottom line, it's almost certain your phone itself hasn't been hacked. That's very difficult to do with iOS, and is generally out of reach to folks who would be using that access for such an amateurish attack. (It may be disruptive to you, but it sounds noisy, and that is absolutely not the kind of thing true sophisticated attackers engage in.) Thus the questions... somehow, they've compromised some online account or something similar that is helping them perpetrate this attack.

Where are you seeing that SMS forwarding is turned on?

Those folders are actually created by iOS, not by Malwarebytes. They are created for any SMS filtering app you have installed. However, Malwarebytes for iOS will only filter into the Junk folder.

You'd need to check whatever app you're using to generate those 2FA codes. Different apps handle it differently, but if the app you're using doesn't have any kind of backup, you'd lose the ability to generate those codes on factory reset... or losing the phone, getting a new phone, deleting the app, etc. As for your description of the symptoms, I simply don't understand at all. How did receiving spam SMS messages lock you out of your phone? What makes you say that someone turned on SMS forwarding for your phone number? I don't believe this could be used to make you see different SMS messages. What do you mean when you say "when I hit incognito in my phone I see spam?"

If your iPhone were hacked, a factory reset actually would help. What specifically are you seeing that you believe indicates that your phone has been hacked?

We cannot, of course, guarantee that the app will block every malicious site. It's simply not possible to make that kind of claim. However, it should do a pretty good job, and if you find something that's not blocked, you can report it over in the Research Center - specifically, the Newest IP or URL Threats forum, for this kind of thing. https://forums.malwarebytes.com/forum/44-research-center/ That said, it's possible, but quite rare, for an iOS device to get infected by malware simply by visiting a website. This kind of thing typically involves nation-state level malware, and is very targeted. The average person is not likely to ever see anything like this unless something changes drastically. Keep your devices on the latest version of iOS and you shouldn't need to worry about this, unless you are someone that a nation-state would pay a lot of money to surveil. If you feel you are such a person, enabling Lockdown Mode on your iOS devices would be a good idea.

This is not likely to be due to a compromise of your iPhone. Unless the culprit has physical access to your phone, it's simply too difficult to hack or infect an iPhone, and nobody would spend that kind of effort - and money - just to access an Instagram account. There are a few possible explanations for how someone got access to your account: The culprit has physical access to your phone and was able to see the code and use it to gain access The culprit has physical access to some other device logged into your Apple ID that gets your texts shared to it via iCloud, such as a Mac, an iPad, another iPhone, etc. The culprit has access to your Apple ID and was able to add a new device that would receive your texts The culprit cloned your SIM card (likely through physical access to the phone) to receive your texts on a different phone The culprit called Instagram and knew enough about you that they were able to talk a support agent into giving them access (typically saying something about how they'd been locked out, due to having lost the phone, changed phone numbers, etc) There could be an account recovery process for Instagram that has a flaw that an attacker can exploit to bypass the 2FA requirement

You should not need to allow the system extension in order to use the VPN. Currently, the only purpose of that extension is to support connection rules. The system extension is used to block network connections to apps you have selected when not connected to the VPN. If you're having trouble connecting, that's a separate issue, and I'd recommend posting about that in the Mac Privacy forum: https://forums.malwarebytes.com/forum/259-mac/ That said, if you do want to get the connection rules feature working, you'd definitely need to get it allowed. There are some suggestions here: https://support.malwarebytes.com/hc/en-us/articles/360039018673-Unable-to-activate-Real-Time-Protection-in-Malwarebytes-for-Mac Unfortunately, there are some glitches with Catalina's support for system extensions, even on the latest version of Catalina. It's possible the suggestions at the above link may not help. For that reason, at some point in the future, support for Catalina is very likely to be dropped, and only Big Sur and up will be supported.

This is not something that you have any control over. If someone calls you, your number will always show up in their recent calls list, regardless of what you do on your end. But then, they already had your number anyway. On the converse, they can't see whether you blocked them or just didn't answer. The only thing they'd be able to see is if you answered the call. The only difference between "block" and "warn" with our software is whether you see the call or not. If you're worried about a legitimate call getting blocked, keep it set to "warn." If you're getting hassled non-stop and just want it to stop, and haven't seen any legit numbers get blocked, set it to "block." Regardless of what you choose, nothing can block the caller's ability to leave a voicemail, unless you don't even have voicemail capabilities set up on your phone number.

Yeah, sorry we couldn't help more. If you've got a good local shop that does a good job, that's probably the best bet. We could try having you run our support tool, but it's really designed mostly to 1) identify problems with Malwarebytes software, and 2) identify potential traces of malware. Sometimes we can use the data it collects to diagnose other issues unrelated to those two things, but that's not really what it's meant for.