iPhone 12 infected and re-infected by hacker malware

[groucho]

The hacker has installed malware, perhaps using iMessage, or a Pegasus-type no-click malware, that allows him to control my iPhone 12, change settings, open apps, and do just about anything. I have reset the phone to factory settings countless times, but he always comes back. Any ideas you may have will be much appreciated.

[Porthos]

It's best to open a support ticket so one of the mobile device support agents can assist you with this.

Please note it may take a few days before a reply though due to high ticket volumes. Please only open one ticket

Consumer Support
https://support.malwarebytes.com/hc/en-us/requests/new

Thanks

[groucho]

19 hours ago, Porthos said:

It's best to open a support ticket so one of the mobile device support agents can assist you with this.

Please note it may take a few days before a reply though due to high ticket volumes. Please only open one ticket

Consumer Support
https://support.malwarebytes.com/hc/en-us/requests/new

Thanks

I have done so at https://forums.malwarebytes.com/topic/289612-iphone-12-infected-and-re-infected-by-hacker-malware/ but no one has contacted me. Thanks.

[Porthos]

6 minutes ago, groucho said:

I have done so at https://forums.malwarebytes.com/topic/289612-iphone-12-infected-and-re-infected-by-hacker-malware/ but no one has contacted me. Thanks.

It can take 3-7 days after the automated ticket response.

[alvarnell]

Also note that it's still a weekend.

[treed]

Can you provide more details about exactly what you're seeing that leads you to believe your iPhone has been infected?

[groucho]

Thanks, Thomas. I am unable to access links embedded in some text messages, cannot fill out certain forms online, button and links to do respond to taps. and apps are showing opened in recent apps that I have never touched. Screens and apps open and close by themselves. Attachments to e-mail do not come through. Someone seems to have full access to my phone, as with Pegasus. The same hacker has also infected my PC with malware and controls it online. I have similar issues with the computer.

[treed]

These are not typical symptoms of a Pegasus infection, and Pegasus would not be able to survive the phone being reset to factory settings.

Some of what you're describing is sounding more like a hardware problem, perhaps with the touch screen. Such problems can cause taps to be missed, as well as spurious taps being detected when you weren't actually touching the screen.

Problems with e-mail attachments can be caused by both a problem with your mail server and by the Mail app itself. I sometimes see this myself, where Mail gets stuck loading an attachment despite the phone being connected to a good wifi network.

I'd recommend having Apple take a look at the device. If you can reproduce any of these issues, that will help Apple identify the problem.

[jtodd234]

Hello @groucho

I was looking for you support ticket and don't see it within our system. 

Can you PM me your email address or the Ticket ID you received at your convenience so we can update this for you. 

Thank you in advance. 

[groucho]

1 hour ago, treed said:

These are not typical symptoms of a Pegasus infection, and Pegasus would not be able to survive the phone being reset to factory settings.

Some of what you're describing is sounding more like a hardware problem, perhaps with the touch screen. Such problems can cause taps to be missed, as well as spurious taps being detected when you weren't actually touching the screen.

Problems with e-mail attachments can be caused by both a problem with your mail server and by the Mail app itself. I sometimes see this myself, where Mail gets stuck loading an attachment despite the phone being connected to a good wifi network.

I'd recommend having Apple take a look at the device. If you can reproduce any of these issues, that will help Apple identify the problem.

Thanks, Thomas. Seeing that someone has opened my banking app without me even touching it gives me pause. Here is my take on this after many months of experience. My iPhone and my PC are connected to the same router. The PC has malware which gives the hacker control of it when he has its IP address. if I connect the iPhone on the WiFi he can see the router’s IP address on the phone. I believe that after a reset he-infects my iPhone as soon as I connect to my Apple ID, which then installs iMessage and gives him the security breach. Is there any way to reset the iPhone without enabling iMessage?

[treed]

There are a couple completely legitimate reasons that your banking app could open. One is a hardware issue with the touch screen, as I mentioned previously.

Another is that the app could receive a push notification from the company that owns the app. This is common with banking apps, as they may need to receive notifications about events happening with your account. When iOS receives a push notification for an app, it will open that app in the background to handle the notification.

I can't comment on what's going on with your Windows PC or your router, but on your iPhone, what you're describing is not a symptom of any known malware. There's no known malware for iOS that can survive a reset to factory settings - and, in fact, none that I know of that even survives a restart.

That said, if you believe that you are someone who may be targeted by nation-state malware like Pegasus - for example, if you are a journalist or an activist who has been critical of certain oppressive regimes - you should contact Amnesty International. However, keep in mind that the average person is never going to see Pegasus.

[groucho]

Many thanks, Thomas.

Please see https://www.theguardian.com/technology/2022/aug/18/apple-security-flaw-hack-iphone-ipad-macs

What do you think about this?

Thanks again.

[alvarnell]

Note that it was patched with iOS 15.6.1 on Aug 17. Have you not updated yet?

[groucho]

3 minutes ago, alvarnell said:

Note that it was patched with iOS 15.6.1 on Aug 17. Have you not updated yet?

Thanks. I just have, but the phone had been set to Automatic Updates and had not updated its own software.

Will the update deal with already installed malware?

[treed]

37 minutes ago, groucho said:

Thanks. I just have, but the phone had been set to Automatic Updates and had not updated its own software.

That's not necessarily unusual, if the phone isn't plugged in at the time it wants to try installing the software, or if it's plugged in but the battery is low, or if it has difficulty downloading the update overnight for some reason. I've sometimes found that I have to install updates manually on my iPhone for whatever reason. It will eventually happen, but it may not happen right away.

As I mentioned previously, I'm not aware of any current malware for iOS that's capable of surviving a restart, so at a minimum the restart needed to install the update should eliminate an infection, if present.

[groucho]

Thanks, Thomas, but this morning I charged my phone which had been shut down (turned off). The charging started it up, and some time later, when I checked the recent screens, the Settings and the Messages screens had been opened. I had not even touched the screen. This does not look right to me. Is it possible that some new malware exists that you haven’t met before? Should I reset the phone again?

[groucho]

P.S. The Settings screen reopens repeatedly in the background. I can see it when I check the recent screens. I am considering buying a new Apple PC to resolve my ten-month-old hacker/malware problem and it is very important for me to know whether iOS is a impenetrable as it is supposed to be. Thanks.

[treed]

How are you seeing this? Be aware that when you reboot the phone, you will see all the same apps that were open prior to the reboot still in the app switcher. This is normal.

There is no system on Earth that is impenetrable. However, it does take some effort to infect an iPhone. You need to consider whether someone with access to high-dollar malware would be interested enough in you to spend the money to infect your device. Do you have some reason to believe that you are the target of a hostile nation-state?

[alvarnell]

Is it possible that someone gained physical access to your iPhone and "jailbroke" it?

[treed]

10 minutes ago, alvarnell said:

Is it possible that someone gained physical access to your iPhone and "jailbroke" it?

Most jailbreaks are not persistent across restarts. If this were due to a persistent jailbreak, though, upgrading to the latest version of iOS should remove it. Yet another reason to recommend installing that update. 🙂

[groucho]

Many thanks. I have installed the update, of course, yet, those screens do not open without an Internet connection but rather as soon as I connect to WiFi those screens begin to open in the background, as above. I can see that by swiping upward half way to the top and seeing the recent screens. I always turn them all off before turning off the phone. How can I tell if my phone was jailbroken (rooted)? It feels like some hacker is trying to change the settings. No one ever had physical access to my phone other than my Apple store, but my PC is infected by subtle malware that seems to come from the  same hacker. I am neither a journalist nor an activist and to this day, after ten months of resetting my phone and buying new equipment, I still don't know the identity of the hacker. Is there a surefire way to tell what or who is causing those screens to open? Thanks again.

[treed]

1) If you just installed the update, your phone is not jailbroken, as I mentioned.

2) Why do you assume that apps opening is malicious rather than a normal consequence of using iOS? I've already given you some reasons why they may open on their own - such as push notifications, which you would only receive if connected to a network - as well as an assertion that I see apps open after a restart here as well.

3) If you're not a journalist or an activist or in any other way someone who has gained the attention and ire of an oppressive nation-state, you are not infected with Pegasus or anything similar.

This seems very much like a case of mistaken assumptions.

[groucho]

Thanks, Thomas. You may be right, but still, FYI, when I installed the update there was a progression bar that was stuck at its beginning and did not advance at all for a very long time. Then the phone restarted and now it says the software is up to date. Also, the self-opening screens that I later discover only happen if I connect the iPhone to WiFi. The WiFi is a router that the PC uses and this PC is infected with subtle malware which, among other things, reveals my router's IP address to the person who planted it and gives him access to my PC. Also, there have been active attempts to interfere with my filling out forms and submitting them to bodies that dealt with hackers and malware, like yours. I was not able to type what I wanted and it kept trying to change my text. It also disabled the Submit buttons. It hid essential parts of the forms or exchanges so I could not communicate properly. When I am on Cellular rather than WiFi those things do not happen. The feeling is that you are not alone on your iPhone. Thanks again and kind regards.

[groucho]

P.S. Now those screens open silently in the background when I am on 3G Cellular Data as well. Especially the Settings screen and the Apple Store screen. Those apps are not permitted push notifications. I fear that whoever hacked my PC also has my Apple ID and Password. I have changed the password several times but it is enough for me to be online for those screens to open some time later. Do you know of any app that positively identifies hacking, spyware and remote-control attempts on the iPhone 12? I do not wish to reset the phone again if I can avoid it, especially as my only WiFi is my PC router. Thanks again.