iphoneX Hacked HELP

[flynhi]

guys i need help urgently someone has without a doubt remotely exploiting my iphone x. I have no idea how but the analytics logs say enough.

I have tried everything from erase all content new apple id’s pxwrds factory dfu.

I was playing around and somehow got the phone to properly close down with the spinning circle (it doesnt do this it just goes black normally) and keep the phone from downloading the apps once i set the phone up again by turning data off but it only stopped it for few hours before the analytic logs came through.

Does anyone know how to stop this spying and remove it for good. 

One important thing I realised was every update I do the Trust Store Cert does not update to the latest ios12 certs and it is stuck on 2018121000 no amount of reinstalling gets the phone to break out of this loop its in.

Apple support = USELESS !

Edited February 28, 2019 by treed
removed accidental tel: link

[treed]

Can you provide information on the specific symptoms you're seeing that lead you to believe your phone has been hacked?

A Trust Store Version of 2018121000 on iOS 12  is normal. Why do you believe this is abnormal?

[Guest Karmababysue]

So what’s normal about 2018 121000. I have the same issue with two new iPhone xrs. My sons phone reflected the correct certificate via Apple’s website of 2018 071 800 but when he updated to 12.1.4 his device his device went to the new store trust version that my phone has been reflecting since at 12.1.3 and we’ve had these devices for one month and we can’t get the store trust version to update to reflect the 718 number. I had the operating system reinstalled so please explain to me what’s normal about it because I’m working with apples engineers on this. 

[alvarnell]

Sorry, but I’m very confused about all this. I do realize that Apple documentation says that 2018071800 is current, do we have any evidence that 2018121000 is older? Based on Apple numbering schemes in other cases, it would seem the opposite is true and that we are all actually on the most current version and Apple's documentation has not caught up.

Edited March 23, 2019 by alvarnell

[Massimiliano]

I also confirm, I am on 28121000

[treed]

On 3/22/2019 at 3:09 PM, Guest Karmababysue said:

we’ve had these devices for one month and we can’t get the store trust version to update to reflect the 718 number.

Why do you believe that 2018071800 is newer than 2018121000? Treated as raw numbers, the latter is the larger number, thus would be the newer version. Interpreted as date-based, 2018-07 (July 2018) is earlier than 2018-12 (December 2012), thus the latter is still the newer version. Any Apple documentation saying that 2018071800 is the most recent can only be outdated documentation. Nothing else would make sense.

[LGK]

On 2/27/2019 at 3:03 PM, flynhi said:

guys i need help urgently someone has without a doubt remotely exploiting my iphone x. I have no idea how but the analytics logs say enough.

I have tried everything from erase all content new apple id’s pxwrds factory dfu.

I was playing around and somehow got the phone to properly close down with the spinning circle (it doesnt do this it just goes black normally) and keep the phone from downloading the apps once i set the phone up again by turning data off but it only stopped it for few hours before the analytic logs came through.

Does anyone know how to stop this spying and remove it for good. 

One important thing I realised was every update I do the Trust Store Cert does not update to the latest ios12 certs and it is stuck on 2018121000 no amount of reinstalling gets the phone to break out of this loop its in.

Apple support = USELESS !

Hi, and I am sorry this happened to you. I know this question was asked three months ago & hope you were able to get Spyware removed. It’s now well known & alarmingly wide spread. 

I had the same thing happen to me in August of 2018, & I asked MW directly, provided explanation as to “why” I thought that - and was told it’s not possible, and obviously I gave my password to somebody or logged in via a non-secure network. “Impossible”. Now Spyware is a much discussed topic & there’s no way the person who told me it was impossible didn’t know. 

Here’s an article published at Wired about the types of crime that get committed & a really great person who is trying to help. 

https://www.wired.com/story/eva-galperin-stalkerware-kaspersky-antivirus/

I wish I had known to ask her instead, because I trusted the person who said it was “impossible” - and a really bad crime happened. The person could have at least referred me to somebody - I had asked - I would have gladly paid for the service because I don’t give out passwords & I don’t use non-secure WiFi so I knew something was wrong, but an expert said “impossible” - oh - he also suggested I change passwords & recommended a password manager.

i have never publicly called out a company or a person, but if it is still being questioned, I think it’s more important to help others because I would never want what happened to me to happen to anybody else ever.  It was a serious crime & I thought I’d never recover. Ironically what helped me get through is getting education in cyber security & I do help other people now. I learned exactly how it was done, I know when & where & by whom, I just can’t do anything about it because the evidence is now gone. I realize this is not the place for personal tragedy stories, but if you still get a “what makes you think that” I believe it’s warranted. I am not calling out names or publicly shaming the person who told me “impossible”, I just really don’t want this to happen to anybody.  Do not question your sanity, it’s not “impossible”, if you are concerned, the article provides resources. I wish I had known. It was the worst most horrible thing that ever happened to me. The people who committed the crime got off free. I barely survived it, and unfortunately I am not being dramatic. I am skilled at cyber security now & I help others. And when i didn’t think I’d make it, I was telling myself that at least no matter how horrible this is, at least I am not the person who dismissed my concern as “impossible” & enabled the crime. 

[alvarnell]

@LGK, very sorry to read about your experience and wish more was known about it when it occurred.

We never heard back from either the OP or the "me too" guest for additional information on their reported issue, but I feel very confident that not only was it nothing compared to yours, but was (and still is) simply a mistake on Apple's part. I just conducted another check of my iPhone 7, iPad Pro and iMac running the latest OS and they all show the Trust Store version still is 2018121000. If either of those users was hacked, it clearly didn't involve their Trust Store. I was hoping that Apple would have updated their reference material by now, but see they have not (List of available trusted root certificates in iOS 12, macOS 10.14, watchOS 5, and tvOS 12), so I'll take the time to report it through a couple of channels.

But the real reason I replied was to point out this very timely article from Malwarebytes today -- Knowing when it’s worth the risk: riskware explained.
 

[LGK]

Hi, thank you - more was known. It’s just it was not acknowledged or even admitted by people who asked “what makes you think that” & then declare that it’s “impossible”.  

The signs I reported had nothing to do with certificates, I was not trained @ cybersecurity back then, I would not have known even what they were. 

But I did know about trust, which was an unacceptable risk on my part, to trust an “expert” to tell me the truth. 

The signs I reported were classic that are discussed at the Wired article about Eva. Wired chose to focus on Android more, but it was well known at the time that they were quite wide spread on IOS too, just look at this article from Malware Bytes.

It was posted a while back. I am not saying the person who said “impossible” was supposed to spend hours analyzing my question, but he could have said to maybe check with somebody who specializes at detecting it, which is what I asked - to recommend whom to contact - if MWB weren’t able to help - he shouldn’t have said “impossible”, dismissing something so serious. That’s a very legitimate concern & the fact that it’s still being questioned is alarming.  And it lead to a crime which could have been prevented.  I reported the signs that is pointed out in the Wired Article. And Malware Bytes has this way too late for me but maybe others can learn article on their site. I didn’t click on any links or downloaded anything from outside of the AppStore. The person could have said “find a cyber security firm” or anything other than “impossible” - believe me, I would have rather wasted $ to find out there was nothing wrong - sort of like people would rather pay for tests to find out they do not have some terrible disease they had signs of, then to, in fact, later find out it’s too late.  What MWB did was essentially dismiss the signs of a serious issue and effectively blamed me for doing something wrong, doctors thankfully don’t do that even when they could. So no, I didn’t click on any links & the only risk I’ve taken was to trust a So-called expert, do they mention that risk as not worth taking in the timely article? I just don’t have the heart to read it because the title implies that if my device got infected with Spyware, it must have been my fault  - it wasn’t. It was established. Thankfully. Law Enforcement was involved after the fact of the crime that MWB could have prevented it.  But you know what, I am not going to discuss it here anymore, if it only leads back to implying it was my fault.  I wasn’t seeking out this particular topic, I was looking for something else.  I wasn’t planning on posting anything & I regret it actually because the only acceptable answer would have been for them to express some sort of regret, they didn’t then, they didn’t now. I just saw somebody asking a question and I didn’t want something to happen to them, that’s all. Here’s a MWB article on Spyware. Not to worry, MWB expert, I am still not going to post this more publicly. I am just glad I am not you, genuinely. And stop questioning people. 

https://www.malwarebytes.com/spyware/

 

[LGK]

The timely article was a marketing pitch on why MWB is still “so great” & a skillful academic discussion on “potentially unsafe” vs “risky” - that’s still not helpful if you weren’t engaging in anything risky, I am very risk averse, I wasn’t clicking on links or trying to download anything from any unrecognized developers. 

The point of what I wrote was just don’t dismiss concerns automatically. 

Thank you again, and back to your regular programming. 

 

[treed]

Without knowing more about who you spoke to and what was said, I can't comment about any previous conversations you may have had.

However, I'd like to point out a few things. First, this topic involved claims that a particular Trust Store Version meant that the phone had been hacked. Those claims are definitively erroneous, as the cited version was completely normal.

Second, it is fortunately far more common for people to believe that their iPhones have been hacked than that it has actually happened. It certainly can happen, either at the hands of a hostile nation-state or someone who has physical access to the iPhone in question. However, it's quite rare that we see cases like this, because it's not the easiest thing to do on iOS. This is, of course, not even remotely the same as "impossible," but it is important to keep in mind that there are theoretical sequences of events that I have seen described as evidence of a hack that would be impossible to actually explain as described.

Finally, you said: "And stop questioning people."

There is no other way to determine exactly what is going on when people say their phone has been hacked. Questions must be asked, or nothing can be learned. Please do not take offense at questions, or interpret asking questions as automatic dismissal of someone's claims.

So, long story short, if you think your iPhone has been hacked, please feel free to post the details here, and you should not be made to feel dismissed. However, expect to be questioned, as that is the only way to get to the bottom of what happened, and expect that you may be told that what you describe is something other than your iPhone being hacked.

[JLW]

OMG me too, my 2 Iphone XR's and my Iphone 7s plus as well. It began with my X and next my two XS Max's and has not stopped since August 2018. I have paypal fraud, bank fraud in 3 banks, all my social media is hacked...someone is remote accessing my phones you can see it in the analytics it says " remote management" as recent as two days ago. My phones are not jailbroken, I do not download strange apps or click on anything. I have that trust version 2018121000. As far as I can tell so far it seems to be some sort of revoked Microsoft Office certificate. I have spoken to Cisco, Apple support more times than I can count. Law enforcement already issued supeona to Apple legal as I am locked out of 15 Iclouds this is getting ridiculous. Check out Ace Deceiver MITM attack on Palo Alto Network, that will scare the crap out of you if you havent seen it already. I am also locked out of all my Gmails, and Outlooks as well including photos and One Drives etc so the person/person's have all my documents/photos it's very violating. If my bank accounts had not been completely emptied I would hire an attorney at this point. My 8 year old son is even locked out of his Xbox account and all his gaming and Icloud accounts etc. Apple is literally beyond useless. Last year I purchased at least 15 Iphones because this kept on happening and obviously my data is somewhere in a cloud under someones control. The servers ( they seem to be using digital ocean and discord as well as aws to bounce off of or whatever hackers do) that show up before they also fried my 5 computers at home with VMware and injected Trojans (took me off as admin and extracted all financial data log in and passwords using screen recordings is what I gather from researching) Anyways if anyone can assist in this removing or updating trust store certificates please!! According to analytics on my phones I have keylogger among other fun stuff on my phone I guess I need to learn X code as the person doing this has Apple Developer rights and is also installing Icloud local auth rights etc to keep hacking my phone, scary part is my one phone did not even have a sim card in it nor internet connection and it is still being remotely accessed!!! 

[treed]

As has already been said multiple times here, the Trust Store Version you report is completely normal and not at all evidence of a hack.

Also, you say that "they also fried my 5 computers at home with VMware" - but VMWare is legitimate software, and not at all remotely something that could be used to "fry" a computer.

As for other evidence of an iPhone hack, I would ask you to start a new topic, and post specific details as seen on your phone. Note that hacked online accounts are not evidence of an iPhone hack, they are evidence that one or more of your online accounts have been breached in some way, likely due to a breach of one system combined with using the same passwords on multiple accounts.

[alvarnell]

On 5/24/2019 at 1:00 AM, alvarnell said:

I was hoping that Apple would have updated their reference material by now, but see they have not (List of available trusted root certificates in iOS 12, macOS 10.14, watchOS 5, and tvOS 12), so I'll take the time to report it through a couple of channels.

I heard back from Apple security folks and apparently the list we have been looking at has been superceded. Here is the response I received with links to the January documents indicating that 2018121000 is the most recent list.

Quote

Hello,

The following Apple Support Knowledge Base articles should help to answer your question:

Available trusted root certificates for Apple operating systems - https://support.apple.com/HT209143

Current Trust Store - https://support.apple.com/HT209501

Best regards,
Scotty
Apple Product Security

 

Edited June 7, 2019 by alvarnell

[AdvancedSetup]

Seems one of the links in the quote is wrong, so for clarity here are what should be the valid links.

Available trusted root certificates for Apple operating systems
https://support.apple.com/en-us/HT209143

List of available trusted root certificates in iOS 12.1.3, macOS 10.14.3, watchOS 5.1.3, and tvOS 12.1.2
https://support.apple.com/en-us/HT209501

 

[alvarnell]

6 hours ago, AdvancedSetup said:

Seems one of the links in the quote is wrong

Fixed. Thanks.