iOS Issues / Spyware

[Fredwick]

Anyone else getting "Start Diagnostics With Apple Support" when you go to Settings>Privacy>Analytics ? Leave device on that screen for a few minutes and see if that pops up in blue. 

[alvarnell]

Didn't happen on my 10.5" iPad Pro. Still waiting to see what happens on my iPhone 7. May depend on what options are enabled.

Why the "Spyware" in your subject? The dialog you are describing (would be best if you posted a screenshot of it) certainly sounds like something unexpected has occurred in iOS and a diagnostic file is being prepared which you can then elect to use in a Feedback entry to Apple or simply ignore.

Edited August 27, 2021 by alvarnell

[Fredwick]

Because I've hired a security analyst and he has determined that this is a EXPLOIT, and is not normal iPhone behavior.  That should only pop up if and when you are working with a Apple Specialist, DIRECTLY, to allow extra permissions on the device for them to connect and diagnose any problems. I'm sure you can imagine the security implications considering the admin privileges that this provides, it's a security issue, as the device is recognizing that Apple is trying to connect with it, but they are not. Location data, screen sharing, etc. This "Start Diagnostics With Apple Support" occurs on ALL of my devices, as well as some family members' devices. He's identified it as spyware, and is currently working up technical details and the logs for Apple, although he's sure that they are already aware of it and have chosen not to patch the exploit, as he's seen this before.

Now, if your device(s) were doing this, and not everyone else's, would that not draw a red flag that something is not right? 

[alvarnell]

I can't say your analyst is wrong about this, but there are explanations other than working with an Apple Specialist for a sysdiagnosis file to be produced on an iPhone. I've done it myself when troubleshooting a software issue. But there is no way for me to exfiltrate this file without my attaching the iPhone to my Mac. Having not needed to troubleshoot my iPhone with an Apple Specialist, either remotely or at a Genius Bar, I can't say whether they have a means of extracting the file remotely or not. I will say that the App Store reviewers have not been perfect in their ability to spot security issues with apps before approval, but they are doing somewhat better recently at preventing apps from obtaining information they cannot justify a need for and preventing such information from leaving the device. You haven't indicated what the vector being used for this supposed exploit, but most all have come from an App Store app, at least on a non-jailbroken iDevice. Of the rest, almost all come from state sponsored hacks targeted against small groups and industry.

But I digress. If the only reason you came here was to verify behavior, I doubt you will get much more feedback here, especially on the weekend. The Apple Support Community Forum will likely give you a wider representation of users. If your security analyst has identified a pice of software that he believes is responsible for this behavior, then I'm certain that Malwarebytes would welcome taking a look at it and has provided a Newest Mobile Threats forum where you can upload any suspicious software which only experts can access it.

[treed]

There is a BIG difference between something that is abnormal and malware. Just because you're seeing something unusual does not mean your devices are infected.

This "Start Diagnostics with Apple Support" is something that allows Apple to collect data from your device. My understanding of the process is that the collected data goes directly to Apple, and gets added to an existing support ticket that you should have open. That said, I've seen reports of cases where, for whatever reason, the diagnostic request never gets closed properly by Apple, and continues to appear.

As I see it, there are a couple likely possibilities:

1. You're encountering a rare bug, perhaps caused by some specific configuration of your devices
2. Apple Support still has a case open, perhaps in error, or perhaps because they're still waiting for you to submit data and you thought the case was closed

Either way, contacting Apple Support would be the way to go. Be sure to contact them via legitimate means (ie, don't Google something like "Apple support phone number" and then call the number that comes up), as listed on Apple's support site:

https://support.apple.com

I can't say with 100% certainty that it's not possible for an attacker to use this to get data from your phone or to infect your phone, because 100% certainty does not exist. However, I can say that this behavior is not known to be associated with any iOS malware or attacks. It does not seem likely to be malicious, since the diagnostic data should go directly to Apple.

Can you provide more information about how you found the security analyst that you're working with, and what specifically they have told you? 

[Fredwick]

It is most certainly Spy/Malware.  My security analyst is preparing his report for Apple Security.  Apple sent me a new phone, but oh no, it got "delayed" at FedEx in Memphis, TN and didn't move (no scans) for a full day. Item arrived late, and it was tampered with as well.  Currently working with my analyst and he advised me to contact FedEx Security as well as Apple.  Just wanted to post this to give others a heads up.  If you've never had Apple connect to your new device, it should not be saying a apple specialist is trying to start a diagnostic session straight out of the box. 

Also, emails (including this one, thats why I'm just now responding as I didn't get it on my old device) and text messages wasn't showing on my old device. However, they are magically showing up (old emails I had never received) on a different device. So, they were filtering my emails and messages as well. 

[treed]

I can't provide any additional concrete information based on that, as I still don't have enough information to go on.

However, I will say that if you have somehow managed to attract the attention of the sort of people who are capable of intercepting your packages and tampering with them, that's nation-state-level activity. In other words, that's the sort of thing that would require the resources of a government or other extremely powerful organization.

Thus, since the options here are either that you are misinterpreting things as spyware that really aren't or you've got a very powerful organization spying on you, either way it would not be appropriate to continue the conversation here. I'd advise you to continue working with Apple through private channels.

[Analissa]

It Keeps happening to all my devices. How did your analyst find it?

 

 

[alvarnell]

3 minutes ago, Analissa said:

It Keeps happening to all my devices.

 

 

Have you contacted Apple yet?

[Analissa]

It Keeps happening to all my devices. How did your analyst find it?

 

Yes I have. They told me to reset the phone and it did not help 

how to find it? 
 

[Analissa]

Did your phone generates analytics every day at 18:00?

[alvarnell]

Under Settings->Privacy->Analytics & Improvements, do you have anything enabled? That will always trigger a daily analytic at some time (not necessarily the same for everybody).

[Analissa]

Yes. I understand that. I shouldn’t be at the same time the same thing according to apple

[alvarnell]

Sorry, but you didn't answer my question, so let me ask it a different way. What analytics are you seeing that generate a report at 18:00 daily. I have all analytics enabled and some of the ones I check are at the same time every day, while others are only when some event triggers them.

[Analissa]

Oh. Ok. It’s all regular apple analytics. Question. Do you know why on record apps do not record all the apps? 

[Analissa]

[alvarnell]

Sorry I'm completely lost by your screenshots, probably because I don't store files on my iCloud Drive. And I don't know what you mean by "on record apps"

[Analissa]

I don’t store files on iCloud either I just open the folder to see if it records. 
Setting, privacy, than screw down than app privacy report 

 

[treed]

9 hours ago, Analissa said:

It Keeps happening to all my devices.

What keeps happening? Like Al, I don't understand what we're supposed to be gleaning from your screenshots, so we need more information. If you're wondering why some apps do not show up in the App Privacy Report, the answer is simple: for some apps, there's nothing to report, because they don't try to access anything.

Quote

How did your analyst find it?

Fredwick never answered questions about this "analyst," but I'm going to go out on a limb and say there wasn't really an analyst. I'm not saying they were lying, but the things they reported that the analyst told them did not make sense. It's quite easy these days to find fake tech support online. These scammers will pretend to be security experts and will feed you all kinds of false information to convince you that you're infected. Then they'll trick you into giving them a credit card to pay for their "services."

Many people get fooled by these scams. My own uncle did, two years in a row before I knew about it.

[Barnabykate]

Everything including malwere site is coming up website blocked due to compromise. What is going on?

[Porthos]

6 minutes ago, Barnabykate said:

Everything including malwere site is coming up website blocked due to compromise. What is going on?

Since this is your first post, what device are you having issues on and exactly what are you doing?

[alvarnell]

40 minutes ago, Barnabykate said:

Everything including malwere site is coming up website blocked due to compromise. What is going on?

It's always best to start your own new topic, especially since your description doesn't sound anything like what the Original Poster's issue was.

We need the details requested by @Porthos along with the version of iOS and and Malwarebytes for iOS that you are running, along with a screenshot that shows the blockage and URL of the "malware site".