ANECompilerService

Question

Level 1

53 points

ANECompilerService

Before you comment to crucify me for looking in logs, please tell me if this compiler looks suspicious, I didn’t post the full log as it’s very very long.

This iPad was factory reset at the Apple Store a few weeks, no additional apps installed. My MacBook Pro and MacMini were both compromised and jailbroken.

I am wondering if this is a persistent ‘horsey’ type issue and my iPad and Macs are now back on the merry-go-round despite factory resets and new AppleID.

{"app_name":"ANECompilerService","timestamp":"2023-03-28 09:42:12.00 +1100","slice_uuid":"","build_version":"1","bundleID":"com.apple.ANECompilerService","duration_ms":"120064","share_with_app_devs":0,"is_first_party":0,"bug_type":"202","os_version":"iPhone OS 16.3.1 (20D67)","roots_installed":0,"name":"ANECompilerService","incident_id":""}
Date/Time:        2023-03-28 09:40:11.292 +1100
End time:         2023-03-28 09:42:11.356 +1100
OS Version:       iPhone OS 16.3.1 (Build 20D67)
Architecture:     arm64e
Report Version:   40
Incident Identifier: 

Data Source:      Microstackshots
Shared Cache:     
Shared Cache:     

Command:          ANECompilerService
Path:             /System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANECompilerService.xpc/ANECompilerService
Identifier:       com.apple.ANECompilerService
Version:          ??? (1)
Resource Coalition ID: 463
Architecture:     arm64e
Parent:           launchd [1]
PID:              1021

Event:            cpu usage
Action taken:     none
CPU:              90 seconds cpu time over 120 seconds (75% cpu average), exceeding limit of 50% cpu over 180 seconds
CPU limit:        90s
Limit duration:   180s
CPU used:         90s
CPU duration:     120s
Duration:         120.06s
Duration Sampled: 118.88s
Steps:            47

Hardware model:   iPad12,1
Active cpus:      6
HW page size:     16384
VM page size:     16384

Advisory levels:  Battery -> 3, User -> 3, ThermalPressure -> 0, Combined -> 3
Free disk space:  48.07 GB/59.59 GB, low space threshold 150 MB
Vnodes Available: 47.69% (4769/10000)

Preferred User Language: en-AU
Country Code:     AU
Keyboards:        en_AU QWERTY
OS Cryptex File Extents: 4

Heaviest stack for the target process:
  30  ??? (libsystem_pthread.dylib + 2968) [0x227d3cb98]
  30  ??? (libsystem_pthread.dylib + 3576) [0x227d3cdf8]
  30  ??? (libdispatch.dylib + 93712) [0x1e1a63e10]
  30  ??? (libdispatch.dylib + 49600) [0x1e1a591c0]
  30  ??? (libdispatch.dylib + 46360) [0x1e1a58518]
  30  ??? (libdispatch.dylib + 136524) [0x1e1a6e54c]
  30  ??? (libdispatch.dylib + 46360) [0x1e1a58518]
  30  ??? (libdispatch.dylib + 133168) [0x1e1a6d830]
  30  ??? (libdispatch.dylib + 16456) [0x1e1a51048]
  30  ??? (libxpc.dylib + 72652) [0x227d91bcc]
  30  ??? (libxpc.dylib + 71580) [0x227d9179c]
  30  ??? (Foundation + 6599156) [0x1d4e611f4]
  30  ??? (Foundation + 6600584) [0x1d4e61788]
  30  ??? (Foundation + 6594040) [0x1d4e5fdf8]
  30  ??? (Foundation + 711484) [0x1d48c3b3c]
  30  ??? (CoreFoundation + 133916) [0x1da450b1c]
  30  ??? (CoreFoundation + 476852) [0x1da4a46b4]
  30  ??? (ANECompilerService + 106728) [0x10006e0e8]
  30  ??? (libdispatch.dylib + 79220) [0x1e1a60574]
  30  ??? (libdispatch.dylib + 16264) [0x1e1a50f88]
  30  ??? (ANECompilerService + 108084) [0x10006e634]
  30  ??? (ANECompilerService + 104844) [0x10006d98c]
  30  ??? (ANECompilerService + 99644) [0x10006c53c]
  29  ??? (ANECompiler + 1597532) [0x239a1205c]
  29  ??? (ANECompiler + 1603732) [0x239a13894]
  17  ??? (ANECompiler + 3655344) [0x239c086b0]
  17  ??? (ANECompiler + 3154400) [0x239b8e1e0]
  15  ??? (ANECompiler + 3149656) [0x239b8cf58]
  9   ??? (ANECompiler + 3127684) [0x239b87984]
  9   ??? (ANECompiler + 3147156) [0x239b8c594]
  7   ??? (ANECompiler + 3113240) [0x239b84118]
  6   ??? (ANECompiler + 3111264) [0x239b83960]
  6   ??? (ANECompiler + 2186660) [0x239aa1da4]
  6   ??? (ANECompiler + 4384816) [0x239cba830]
  4   ??? (ANECompiler + 2201700) [0x239aa5864]
  3   ??? (ANECompiler + 4386556) [0x239cbaefc]
  1   ??? (ANECompiler + 4386228) [0x239cbadb4]

iPad, iPadOS 16

Posted on Apr 1, 2023 9:57 PM

Reply

Answer 1

Best reply

hechoentexas

Level 1

12 points

May 20, 2023 10:09 PM in response to gravityfed

@gravityfed

You weren't paranoid or in the wrong for asking. Yes, it's compromised. As I have found out the long, torturous and painful way of finding out that Apple will not tell or even confirm if your account is compromised. Nor tell you what devices, telephone numbers, email addresses are attached to your account. ONLY CONFIRM. Plus when you call Apple Support, even a Senior Advisor will only go as far as telling you to wipe aka factory reset. But they will twist it to where it's an error on your part and always answer a question with a question. It's bogus.

Reply

Answer 2

gravityfed Author

Level 1

53 points

Jun 28, 2023 5:19 AM in response to Tom Gewecke

Yes to your question, in fact all my devices are wrong:

I am forced to use modified beta apps, in Googles case, old open source versions. I also have beta versions of Apple architecture like SpringBoard. I am not enrolled in any beta programs and I don’t have TestFlight installed.
My emails are (intermittently) intercepted and replies are spoofed.
My Apple devices connect to other devices, despite this having been turned off (not just in terms it of looking around to see who is nearby which most mobiles do) but literally connecting directly to it via its IP address.
My devices are actively sending and receiving iMessages and FaceTime despite it being disabled.
Siri is recording despite it being disabled.
My location is monitored despite location being disabled.
Numerous triggers have been set up (not by me) to activate, for example when in a vehicle and voice triggers.

They’ve been reset by Apple with no change.

[Edited by Moderator]

Reply

Answer 3

gravityfed Author

Level 1

53 points

May 4, 2023 4:47 AM in response to Wattermellon

@Wattermellon

I have some further information, ANECompilerService is apparently a process that runs on Apple products with Adobe Creative Suite installed. ANE stands for Adobe Native Extensions which developers code for Adobe AIR applications. ANE files are libraries of native code, ANECompilerService compiles the code into an executable format. When there is an issue with the ANE compilation it may create a log entry, which is what we have found on our devices.

So, it’s a legitimate process, albeit an executable so worth keeping an eye on, HOWEVER, if you do NOT have Adobe AIR applications installed then it’s highly like either you have malware or an active exploit is using the compiler to execute code.

In my case, it has never had Adobe on the iPad (or my iPhone which it is also on). My compiler was accessing libcommonCrypto.dylib which is a cryptographic function for encryption, decryption etc and this is not something that ANECompilerService should be accessing along with other security processes. At the time of the crash it was using several system libraries and system level components. There was also the issue that the check for a root certificate failed or was invalid.

I also found evidence in other logs of security violations on the iPad. I also have a compromised MacbookPro and Mac mini (which has now been confirmed) which were both interacting with all of our iPads (also confirmed) even though they have different Adobe IDs for some devices.

The bad news is, if your appearance of the log is not for a legitimate reason then it may be impossible to get rid of, for me, Apple Store performed a full reset and it hasn’t gone away. The lastest security update which came out yesterday also did not make a difference. I run the iPad in lockdown mode but that hasn’t made any difference, they have altered the operating system.

I am waiting to hear back what the next steps are.

Reply

Answer 4

gravityfed Author

Level 1

53 points

Jun 26, 2023 12:31 AM in response to zenafromlancaster

@zenafromlancaster

From my investigation this has become a very sophisticated operation stemming from an exploit which allows an attacker to gain kernel privileges.

You know it’s bad when your SpringBoard on your iPad is a modified beta version.

Command:          SpringBoard
Path:             /System/Library/CoreServices/SpringBoard.app/SpringBoard
Identifier:       com.apple.springboard
Version:          1.0 (50)
Is First Party:   Yes
Beta Identifier:  XXXXXXXX-XXXX-XXXX-XXXX-4AC737AC4784
Resource Coalition ID: 9
Architecture:     arm64e
Parent:           launchd [1]
PID:              31

Event:            disk writes
Action taken:     none
Writes:           1073.77 MB of file backed memory dirtied over 54242 seconds (19.80 KB per second average), exceeding limit of 12.43 KB per second over 86400 seconds
Writes limit:     1073.74 MB
Limit duration:   86400s
Writes caused:    1073.77 MB
Writes duration:  54242s
Duration:         54241.79s
Duration Sampled: 54232.25s
Steps:            285 (10.49 MB/step)

Reply

Answer 5

Tom Gewecke

Level 10

115,940 points

Jun 26, 2023 6:04 AM in response to gravityfed

gravityfed wrote:

I have since found it is part of the Apple Neural Engine, as I found a full path in my log.

Yes, good to hear you have found what was in line 12 of the log in your first post on April 1.

Is there actually anything wrong with your own device?

Reply

Answer 6

May 27, 2023 9:44 AM in response to gravityfed

I have the same issue. How do I remove it? I’ve restored my phone to factory I can’t seem to get it off. Not sure what this means but it seems like someone has total control of my phone.

Reply

Answer 7

gravityfed Author

Level 1

53 points

Apr 25, 2023 3:19 PM in response to gravityfed

Just following up for anyone also looking into these logs on their device. I discovered it is exploit CVE-2022-46689 which has been used to gain root privileges to my MacBook Pro, Mac Mini, iPhone and all our iPads (and wifi, security camera access). This exploit will allow someone to silently control your devices whilst sending your data to its servers. Unfortunately the problem persists regardless of patches/updates and re-installs.

Reply

Answer 8

gravityfed Author

Level 1

53 points

Sep 19, 2023 11:56 AM in response to gravityfed

Our computers and devices are currently under the control of an unknown attacker, so this information relates to my initial enquiry as to what ANECompilerService was for others seeking information. These are legitimate Apple services being misused. We are not enrolled in an Apple developer or beta program and the devices have always been kept updated and in lockdown mode since purchase.

ANECompilerService appears to be related to developer activities. It has been observed compiling unknown code both on macOS and iOS alongside kernel, triald, Trial, mediaanalysisd and PegasusKit in the forms of aned, _ANEServer, Espresso, ANECompiler, ANEServices, AppleH11ANEInterface and AppleNeuralEngine.

com.apple.aned

aned

555    0    aned: [com.apple.ane:aned] -[_ANEServer initWithDataVaultDirectory:dataVaultStorageClass:buildVersion:tempDirectory:cloneDirectory:]: dataVaultDirectory=/Library/Caches/com.apple.aned
555    0    aned: [com.apple.ane:aned] -[_ANEServer initWithDataVaultDirectory:dataVaultStorageClass:buildVersion:tempDirectory:cloneDirectory:]: buildSpecificModelStorageDirectory=<private>
555    0    aned: [com.apple.ane:aned] -[_ANEServer initWithDataVaultDirectory:dataVaultStorageClass:buildVersion:tempDirectory:cloneDirectory:]: modelAssetsCacheDirectory=<private>
555    0    aned: [com.apple.ane:aned] -[_ANEServer initWithDataVaultDirectory:dataVaultStorageClass:buildVersion:tempDirectory:cloneDirectory:]: inMemoryModelCacheDirectory=<private>
555    0    aned: [com.apple.ane:aned] -[_ANEServer initWithDataVaultDirectory:dataVaultStorageClass:buildVersion:tempDirectory:cloneDirectory:]: tempDirectory=<private>
555    0    aned: [com.apple.ane:aned] -[_ANEServer initWithDataVaultDirectory:dataVaultStorageClass:buildVersion:tempDirectory:cloneDirectory:]: cloneDirectory=<private>
555    0    aned: [com.apple.ane:aned] Ready to accept restricted and unrestricted XPC connections
555    0    aned: [com.apple.ane:aned] <private>: SecTaskCopyTeamIdentifier() returned teamIdentity=""
555    0    aned: [com.apple.ane:aned] <private>: SecTaskCopySigningIdentifier() returned csIdentity="<private>"
557    0    ANECompilerService: (Espresso) [com.apple.espresso:espresso] Creating context XXXXXXXX04 eng=10008 dev=-1
557    0    ANECompilerService: (Espresso) [com.apple.espresso:espresso] Creating plan XXXXXXXX20
557    0    ANECompilerService: (Espresso) [com.apple.espresso:espresso] Creating plan XXXXXXXX20
557    0    ANECompilerService: (Espresso) [com.apple.espresso:espresso] espresso_plan_add_network plan=XXXXXXXX20 path=<private> cp=65568
557    0    ANECompilerService: (Espresso) [com.apple.espresso:espresso] Loaded network: '<private>' pf=10008 cp=0
557    0    ANECompilerService: (Espresso) [com.apple.espresso:espresso] espresso_plan_add_network plan=XXXXXXXX20 path=<private> cp=65568 Completed
557    0    ANECompilerService: (Espresso) [com.apple.espresso:espresso] Destroying plan XXXXXXXX20
557    0    ANECompilerService: (Espresso) [com.apple.espresso:espresso] Destroying context XXXXXXXX04
557    0    ANECompilerService: (ANECompiler) ANEC Compiler Input used legacy key names 'NetworkPlistName' 'NetworkPlistPath' - please update to use 'NetworkSourceFileName' 'NetworkSourcePath'
...
557    0    ANECompilerService: [com.apple.ane:compiler] <private>: SUCCESS: model=<private> : output=<private> : lAttr=<private> : lErr=(nil)
555    0    aned: [com.apple.ane:aned] Compilation success: attr=<private>
555    0    aned: [com.apple.ane:aned] END: <private>: <private> : <private> : <private>

ANEStorageMaintainer is also developer related with an ANEVirtualClient:

ANEStorageMaintainer

com.apple.private.ANEStorageMaintainer

ANEStorageMaintainer

The main signs include iOS logs that have a Beta Indentifier number. This is found at the top of logs where apps installed are referenced.

Beta Identifier:  XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Additionally, there will be the mention of titles like "legacyInfo", "trialInfo", "rollouts", "rolloutId", "factorPackIds", "deploymentId". As well as "experiment" information towards the bottom of some logs with some of these titles: "treatmentId", "experimentId", "deploymentId".

On macOS you can capture logs in the Terminal.app (a good time is immediately after startup) using the command:

sudo log show --info --debug  --last 2m

Please don’t bother replying with negativity. Users have a right to enquire when they feel something is not right on their tech, those responses are unhelpful and frankly, tiresome.

Reply

Answer 9

Jan 22, 2024 6:48 AM in response to gravityfed

You device is using a service call mdm. ( mobile device management) some one is harrassing you. Look up on Apple support , Apple supplies all the tools to allow anyone with your cereal number to crest a school, business , or what ever account which uses your google account ( workspaces , and then gives the person full control of your device . They monitor everything on your phone and you have no control , the modify apps and restrict you from getting a normal phone. Search device management.. it’s a nightmare to put it lightly . They need no passwords , Apple supplies login tokens , do can’t bother changing passwords ..

https://support.apple.com/kb/index?q=mdm&src=globalnav_support&type=organic&page=search&locale=en_US

start here and read on … you will never get control of your device ..

mall the criminal has to do is send you a text with a photo and load it with JavaScript callback code from GitHub or whatever and get all info off your device and set up this great monitoring tool to basically distort your life … support has no idea and will deny any and all information or knowledge ..

Reply

Answer 10

Wtfjay

Level 1

8 points

Aug 16, 2023 12:38 AM in response to gravityfed

Wow I thought I was being followed or something weird what I was reading that data on my phone… I’m not feeling this data collection **** these phone companies are doing and or allowing!

Reply

Answer 11

Aug 16, 2023 6:14 AM in response to Wtfjay

Wtfjay wrote:

Wow I thought I was being followed or something weird what I was reading that data on my phone… I’m not feeling this data collection **** these phone companies are doing and or allowing!

Yes, your cellular carrier collects a lot of data on your phone usage and your location. But that has nothing to do with Apple.

Reply

Answer 12

Dec 26, 2023 5:01 AM in response to gravityfed

I have all of the same issues with privacy my phone has a mind of its own! It’s always got the camera and microphone on! I’m unable to access iCloud haven’t been able to for months and now since the last update I can’t do the security checks either!

Private relay gets turned off, settings are changed daily and family sharing gets turned on!

every thing points to me having key chain yet I’ve never used it, i have money being spent on my Apple ID that isn’t me , I had advanced data protection on for months and every time I tried turning it off I’d just get an email saying I had just turned it on!

its very confusing I could go on about this for hours but I choose not to on here but honestly what is going on it’s really starting to send me insane trying to keep my identity in check!

i have emails being encrypted my tax was was updated and more! I’ve changed phones, bank accounts Apple IDs and now when I read what you’re saying and I check my analytic logs I have all the same logs!

i have some developer apps under accessibility that I was told shouldn’t be there and I have interactions made on the support app that aren’t from me! I’m at a loss as to what I’m meant to do or think anymore as it doesn’t seem to make any difference as to what I do the phone iPhone 13 just seems to work against me as opposed to work for me! I had the same issue with my android phone but it was a lot simpler as I could see the other device in my settings what or how are you meant to know with iPhone?

my settings always show just me until I do an update or the safety check where it will every now and again reveal other devices!

Reply

Answer 13

Dec 29, 2023 3:36 AM in response to gravityfed

I’m so glad I finally found these posts! I’m litterally going insane and looking like and *** at the same time upon boot using the teminal command you provided look similar as well looking at my keychain there are Kerberos login tokens and as well my logs show verbiage about single sing on and my brand new user account. I was able to Open Directory utility app and delete all the users but about the time I finished I was both locked out of changing root password as well I tried to run the log command once more to be met with sudo command not found which is on par with this hack I’m disabled and the system used as a weapon against me the owner/user. Any device that has an ip address ie CCTV overtaken, Sonos speakers, smart tv’s the microphones open and can hear “hushing” etc in the background. Trace route shows all my internet traffic routed through the same set of IP’s and 100% of packets lost on the first hop which is loopback and then routed out to these criminals. Firewall will be flooded with outside connections all through legitimate or it appears at lease apple services ie remoted 85 connections and the list goes on and is ever changing as I block each service at about that time my firewall application is disabled and double signin starts and they get into my sonic wall and disable it and allow their internet highway of ipv6 connections to silently flood my machine. Shoot I’m seriously lost at the same time relieved I found your post! And while we maybe experiencing different vector of compromise it’s all same in the fact it’s every apple device I own as well as a brand new MacBook that was overtaken in minutes of boot I’m assuming my local network? I dunno however I did see in /library/preferences plist file indicating my name and most apple services in guessing in search of all apple accounts? Thanks for the post I’ll keep my eye to see where this goes! Thx

Reply

Answer 14

gravityfed Author

Level 1

53 points

Apr 5, 2023 5:44 AM in response to LotusPilot

Thanks LotusPilot, it updated to 16.4 and I reset again using:

Settings > General > Transfer or Reset iPad > Erase All Content and Settings

Didn't use any backups and didn't install any apps, same logs appeared along with a new one same as above but with iPadOS 16.4

I guess it'll stay a mystery.

Reply

Answer 15

LM-OB

Level 1

8 points

May 24, 2023 9:12 PM in response to gravityfed

I have the same problem. Adobe not installed on my device either. I have 215 stacks data, of which up to 20 of these logs have been recorded in only one day. The advanced technicians at Apple Support keep trying to convince me this is ‘normal’ but of course it isn’t because the start of the log states “roots installed”.

Plus, the trust certificates are mostly root certificates of which most are not even extended validation certified.

I have apps on my device with software covered by licences with descriptions such as folly, experimental and test.

Maybe my IMSI (individual mobile subscriber identity) was accessed and test apps from an alternative App Store such as “Test Flight”.

I don’t know anything anymore, I’m losing the will to live. Honestly, this is awful because it affects ALL of your devices!!

Reply

ANECompilerService

Similar questions