XNU-Darwin Malware

There is an active exploit in iOS and macOS which allows someone to act in developer mode. I don’t think it is from XNU, but is an exploit in triald. Using a combination of triald, embedded speech Siri commands and (evidence suggests) Firebase App Attest, it can remotely control a computer or iOS device. A similar exploit is currently also active on Android, ChromeOS, HomePods and Chromecast.

These methods enable someone to load modified beta apps to your device as well as freely record video/audio and take screenshots. Lockdown is useless as they circumvent it by adding a fake contact into the address book and silently enable FaceTime and iMessage. Bluetooth, wifi, tethering and continuity/handoff are also enabled regardless of whether you have them switched off.

What you experienced probably came from replayd which can also be activated remotely.

ReplayKit security in iOS and iPadOS – Apple Support (AU)

ReplayKit | Apple Developer Documentation

replayd: replayd Starting!
replayd: RPConnectionManager: RPDaemonRun:
replayd: (UserNotifications) [com.apple.UserNotifications:Connections] [com.apple.ReplayKitNotifications] Creating a user notification center
replayd: _srSetupTempDirectory
replayd:  [INFO] -[SCContentSharingSessionService listener:shouldAcceptNewConnection:]:205 New connection from pid=387 isNotification=1

As for the SIM cards, yep they have that covered too.

CommCenter: [com.apple.CommCenter:DATA.iRatClient.1] #I register with server: <private>
CommCenter: [com.apple.CommCenter:DATA.Connection.DataTest.1] #I checkActivateConnection: change = false activate = false state = kDataConnectionStateIdle fIsActivatingAccrossSimSwap = 0

Unfortunately it really doesn’t matter what brand you switch too. They pretty much infect everything you have, devices and files. Until someone finds the cure, we are their captives. The alternative is to live offline :(

Some further events:

mobileactivationd: (libMobileGestalt.dylib) No persisted cache on this platform.
mobileactivationd: (libMobileGestalt.dylib) Property avd[ads-present] found <private>
mobileactivationd: [com.apple.mobileactivationd:daemon] Internal Build: false
mobileactivationd: [com.apple.mobileactivationd:daemon] Hardware Model: J274AP
mobileactivationd: [com.apple.mobileactivationd:daemon] Should Hactivate: false
mobileactivationd: [com.apple.mobileactivationd:daemon] FPGA: false
mobileactivationd: [com.apple.mobileactivationd:daemon] Dev-fused Undemoted: false
mobileactivationd: [com.apple.mobileactivationd:daemon] Prod-fused Demoted: false
mobileactivationd: [com.apple.mobileactivationd:daemon] Activation State: Activated

ContextStoreAgent: (CoreDuet) Simulating crash. Reason: <private>
SoftwareUpdateNotificationManager: (SoftwareUpdateCoreSupport) [com.apple.su:SU] [SIMULATE] DISPATCH: created simulate dispatch queue domain(com.apple.su.core.simulate)
mobileassetd: (SoftwareUpdateCoreSupport) [com.apple.su:SU] [SIMULATE] DISPATCH: created simulate dispatch queue domain(com.apple.MAAuto.core.simulate)
Installer Progress: (AE) [com.apple.appleevents:main] aeGenerateFakeFirstOAPPEventIfNecessary(), needToCreateFakeOAPPEventIfFirstEvent == true
talagent: [com.apple.talagent:log] - -: Finder not yet launched, but pretending it is
CommCenter: [com.apple.CommCenter:rm] #I Pretending that NoBB Radio is on. fNoBBAirplaneMode false  fWiFiAvailable true

appstoreagent: (PlugInKit) [com.apple.PlugInKit:discovery] [d <private>] <PKHost:0x******6f0> Query: {
    NSExtensionIdentifier = "com.apple.TestFlight.ServiceExtension";
    NSExtensionPointName = "com.apple.appstored-services.testflight";
}
appstoreagent: [com.apple.appstored:General] [AgentRunLoop]: Starting TestFlightFeedback service

apsd: [com.apple.apsd:connectionServer] <private>: Initializing connection server with environmentName 'development' and connectionPortName '<private>'
apsd: [com.apple.apsd:courier] <private>: Logging user with uid <private> into environment development
apsd: [com.apple.apsd:daemon] Unknown environment '<private>'
itunescloudd: (ApplePushService) [com.apple.apsd:connection] Initializing APSConnection <private>: env=demo port=com.apple.aps.itunescloudd darkWakeEnabled=YES queue=<private>
itunescloudd: (ApplePushService) [com.apple.apsd:connection] Illegal attempt to use port com.apple.aps.itunescloudd with environment 'demo' when already used for '<private>'

kernel: attempting to load 2 external trust cache modules
kernel: loaded external trust cache module: 0
kernel: loaded external trust cache module: 1
kernel: completed loading external trust cache modules
kernel: initialized XNU provisioning profile data
kernel: initialized PPL provisioning profile data
kernel: (FairPlayIOKit) Warning: arc4random not implemented
kernel: (InvalidateHmac) Beginning SIO HMAC invalidation...
kernel: (InvalidateHmac) SIO HMAC invalidation config = 0
kernel: (InvalidateHmac) Finished SIO HMAC invalidation.
kernel: (AppleMobileFileIntegrity) AMFI: developer mode is force enabled on this platform

There is an agent AppleQEMUGuestAgent with the following plist.

Reinstalling is a waste of time. Apple have also tried. The system also finds a number of 'exceptions' thus nullifying the objective of a fresh install (reinstalling from macOS on an external drive). It also documents the skipping of various disks.

Information is found in the shared memory with a seed number that is deemed as still valid. The system then uses that cached information. A fresh reinstall does not actually fully remove data from the system.

Unauthorised use of Continuity:

ContinuityCaptureAgent: ContinuityCaptureAgent, start
<key>/System/Library/Frameworks/CoreMediaIO.framework/Resources/iOSScreenCapture.plugin/Contents/Resources/iOSScreenCaptureAssistant</key>

imagent misbehaving:

The options for FaceTime, iMessage and Messages/SMS are deactivated and the devices are in Apples Lockdown Mode. 'Changing SMS Push Hander Regiration State to: YES' and 'lockdown passThrought handler for command' indicates imagent is likely to be an an imposter.

There's also plenty more not of our doing. It’s also active on many other people’s Apple tech.

triald is legitimate, but has been misused and employed to push experiments (along with geod) onto nearby iOS devices and machines adopted by TrustedPeersHelper. Siri is also used by triald (and others).

Permission restrictions are circumvented using the adoption of ‘personas’ and vouchers from a ‘personaVocuherDictionary’.

usermanagerd: [com.apple.usermanagerd:legacy] setup kernel personas
usermanagerd: [com.apple.usermanagerd:legacy] Started and loaded Personas Successfully
usermanagerd: [com.apple.usermanagerd:legacy] Allocated kernel persona with ID: 1001

It seems ‘Pegasus’ is no longer confined to specific targets, and on only iOS.

Observed activity includes:

- System modification, shared memory interference.

- Very detailed statistics.

- Remote recording of audio and video.

- Screenshots, screen recording, mirroring and virtual monitor.

- Call monitoring: voice call listening, conference and multi-way, call interception, impersonation, call redirection and termination.

- SMS, FaceTime message and iMessage interception and impersonation.

- Sophisticated location monitoring, evidence of CarPlay interference and GPS tracking.

- There is the initial bulk migration of all folders. Copies of recent files are extracted. Files are modified and can be deleted.

- Existing and new files are injected with binary data, some types with executables.

- Contact address book monitoring and any close contacts are also compromised.

- Email hijacking: monitoring, impersonation, interception and removal of emails. Emails are routed through another server.

- Pasteboard hijack.

- Bluetooth and WiFi hijacking.

- Overriding of usersettings.

- Modification of apps.

M1 Macs modified by attackers to dual boot iOS on Mac with fake provisioning profile credentials.

kernel: initialized XNU provisioning profile data
kernel: initialized PPL provisioning profile data
kernel: attempting to load 2 external trust cache modules
kernel: loaded external trust cache module: 0
kernel: loaded external trust cache module: 1
kernel: completed loading external trust cache modules
kernel: CTRR (MMU) Begin: 0x803600000 End: 0x807a23fff, setting lockdown
kernel: (InvalidateHmac) Beginning SIO HMAC invalidation...
kernel: (InvalidateHmac) SIO HMAC invalidation config = 0
kernel: (InvalidateHmac) Finished SIO HMAC invalidation.
kernel: (FairPlayIOKit) Warning: arc4random not implemented
kernel: (AppleARMPlatform) AppleARMBootPerf: Warning: profile->magic (0x42545244) != 'BTRC'
kernel: (AppleMobileFileIntegrity) AMFI: developer mode is force enabled on this platform
kernel: (AppleEmbeddedSimpleSPINORFlasherDriver) virtual bool AppleEmbeddedSimpleSPINORFlasherDriver::start(IOService *): dual-iboot-support = true

The end objective appears to be intel-data collection for use in scams.

Pure baloney.

It seems ‘Pegasus’ is no longer confined to specific targets, and on only iOS.

No one who can afford Pegasus will blindly use it against just anyone. It costs $500,000 to setup, and another $560,000 for 16 attacks. And no, it is not iOS only. It's also able to be used on Android phones.

M1 Macs modified by attackers to dual boot iOS on Mac with fake provisioning profile credentials.

Read it again. It says (IOService *), not iOS. That means Input Output Service. Not to mention Macs don't run iOS. It's macOS.

IdrisSeabright wrote:

You still haven't provided any documentation. All I see is your speculation.

That is because there is a character limit and the inability to post external links. However, some further information is posted here on this post.

Taunt all you like, the point of speculation has been surpassed by the evidence itself.

The member at the Apple Store should have warned you they do not make any backups before restoring a device. It's up to the user to save their data to another drive or device before bringing it in.

You don't mention the phone being jailbroken (that I can see), but if it is, that's a guaranteed way to make a complete mess of your device. Doing so completely defeats the purpose and design of Apple's OS to make the device as immune to malware as possible.

Apple will not touch a jailbroken device. You must clean this up yourself.

Manually make any backups of your contacts and photos to another drive. DO NOT create a backup to restore after the following since that will also restore the jailbreak software.

1. Open Settings on the phone and navigate to Your name / Find My. Turn Find My off.

2. Connect your iPhone to the computer and unlock it to the phone's desktop (your six digit code). Open a new folder on the Mac with Command+N. Select your device in the left column.

3. Click on the Restore iPhone… button. You many need to confirm. If so, click ‘Restore’ again.

4. Once the reset is complete, the iPhone will automatically restart. You’ll see the Hello screen, and you can then follow the on screen prompts to set up your iPhone as new.

gravityfed wrote:

There is an active exploit in iOS and macOS which allows someone to act in developer mode. I don’t think it is from XNU, but is an exploit in triald. Using a combination of triald, embedded speech Siri commands and (evidence suggests) Firebase App Attest, it can remotely control a computer or iOS device. A similar exploit is currently also active on Android, ChromeOS, HomePods and Chromecast.

Can you provide links to information about this exploit?

All of the links in your post are to legitimate processes. Triald is also a legitimate process.

So we know that XNU is the Kernel extension of the Darwin UNIX based operating system that runs both the Mac and iPhone and is not Malware. We are all going to need more info on where you are seeing the problems.

• Is the iPhone jailbroken?
• Where are you seeing "Uninstalled Apps" data usage of 300MB/day?
• Do you know the date of the Screen Recording in the Files Folder?
• Are you able to view the MetaData of the Screen Recording in Photos?
• What files did you find a way into that crashed your phone?
• Where are you viewing a shared connection with "something"?
• What process did you use to install a "terminal"?

Unfortunately, since your device is Jailbroken, it is very likely that you do have malware. Bad actors are able to listen to you through the microphone, take pictures, record video (without the camera light on), alter system files, monitor your location, send fake messages to your friends and family gained through your Contacts, and much more.

Cydia is a cesspool of malware if you have downloaded any apps from that platform. Apps with legitimate names will likely have a trojan attached that you will not be able to get rid of. They will partition the drive, so even a clean install cannot remove them. In addition to Cydia, apps can be installed just by being redirected to a website without any action by you to install them.

I'm sorry, but there is nothing anyone can do here to return your phone to operate in a safe environment.

Did you try to Restore from Kurt Lang's post? You will lose your data as you won't want to Restore from a Backup, but at this point, you need your secure phone back. If this does not work, you may have to try the DFU Restore here: DFU Restore Info

The DFU Restore takes a bit to get the key sequence right, but the article should help. Also, be warned there is the possibility it may fail and also potentially brick your phone depending on if the system has been altered in a way to prevent this action. You will need a computer and can use a Finder window if it is running Catalina or newer.

Even if what you describe is true, it's extremely unlikely anything that happened on the Android phone has anything to do with your phone.

It would take odds of enormous improbability for the Android's camera to take your photo, send it to the hacker who took over that phone, manage to find a match of your face online to that photo, manage to match your name to that photo, and then against even more insurmountable odds, somehow discover from that both your Apple ID and password.

In short, someone got into your account, but it wasn't from the Android phone taking your picture.

gravityfed wrote:

Reinstalling is a waste of time. Apple have also tried. The system also finds a number of 'exceptions' thus nullifying the objective of a fresh install (reinstalling from macOS on an external drive). It also documents the skipping of various disks.

You will want to continue your discussions directly with Apple Support, and potentially with Apple Security, then.

With Lockdown enabled, various service failures are to be expected.