Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

XNU-Darwin Malware

Ok… So my phone started acting up 5 months ago. I threw it into Lockdown Mode. Yet somehow I could not break a shared connection with ?something¿. I kept noticing “uninstalled apps” data usage getting larger and larger (300MB a day) Then I had a mysterious video show up in “Files”. Considering I was well aware that something was already wrong I played the video. It was LITERALLY a screen recording or ANOTHER screen viewing MY screen. I installed a terminal and began investigating. This went on for about a month. It seemed that every time I found a way into the locked down files ”they”(idk who or what it is so I am saying they) would force me into doing a restore or crash the phone where I had to restore anyways. I contacted apple via phone. They were no help. So I paid for a developer account for the beta build and try some unreleased security updates. NOPE. I finally called apple back defeated. The lady kept talking to me like I had no clue how apple os systems worked (Fine) I explained everything the best I could via the phone. She kept asking me why I thought it wasn’t a part of iOS. Finally I got rude with her because I was running out of time. (“They had burned 2 SIM cards, disconnected calls to anyone I was talking to about the problems I was having, deleted files, turned off my cell antenna and activated SOS mode and was still installing and connecting) my co workers and family has witnessed these things for them selves.

MacBook Air 13″, macOS 12.6

Posted on May 30, 2023 7:48 AM

Reply
Question marked as Top-ranking reply

Posted on Jul 22, 2023 11:57 AM

There is an active exploit in iOS and macOS which allows someone to act in developer mode. I don’t think it is from XNU, but is an exploit in triald. Using a combination of triald, embedded speech Siri commands and (evidence suggests) Firebase App Attest, it can remotely control a computer or iOS device. A similar exploit is currently also active on Android, ChromeOS, HomePods and Chromecast.


These methods enable someone to load modified beta apps to your device as well as freely record video/audio and take screenshots. Lockdown is useless as they circumvent it by adding a fake contact into the address book and silently enable FaceTime and iMessage. Bluetooth, wifi, tethering and continuity/handoff are also enabled regardless of whether you have them switched off.


What you experienced probably came from replayd which can also be activated remotely.


ReplayKit security in iOS and iPadOS – Apple Support (AU)

ReplayKit | Apple Developer Documentation


replayd: replayd Starting!
replayd: RPConnectionManager: RPDaemonRun:
replayd: (UserNotifications) [com.apple.UserNotifications:Connections] [com.apple.ReplayKitNotifications] Creating a user notification center
replayd: _srSetupTempDirectory
replayd:  [INFO] -[SCContentSharingSessionService listener:shouldAcceptNewConnection:]:205 New connection from pid=387 isNotification=1


As for the SIM cards, yep they have that covered too.


CommCenter: [com.apple.CommCenter:DATA.iRatClient.1] #I register with server: <private>
CommCenter: [com.apple.CommCenter:DATA.Connection.DataTest.1] #I checkActivateConnection: change = false activate = false state = kDataConnectionStateIdle fIsActivatingAccrossSimSwap = 0


Unfortunately it really doesn’t matter what brand you switch too. They pretty much infect everything you have, devices and files. Until someone finds the cure, we are their captives. The alternative is to live offline :(


Similar questions

17 replies
Sort By: 
Question marked as Top-ranking reply

Jul 22, 2023 11:57 AM in response to Ky_Panda

There is an active exploit in iOS and macOS which allows someone to act in developer mode. I don’t think it is from XNU, but is an exploit in triald. Using a combination of triald, embedded speech Siri commands and (evidence suggests) Firebase App Attest, it can remotely control a computer or iOS device. A similar exploit is currently also active on Android, ChromeOS, HomePods and Chromecast.


These methods enable someone to load modified beta apps to your device as well as freely record video/audio and take screenshots. Lockdown is useless as they circumvent it by adding a fake contact into the address book and silently enable FaceTime and iMessage. Bluetooth, wifi, tethering and continuity/handoff are also enabled regardless of whether you have them switched off.


What you experienced probably came from replayd which can also be activated remotely.


ReplayKit security in iOS and iPadOS – Apple Support (AU)

ReplayKit | Apple Developer Documentation


replayd: replayd Starting!
replayd: RPConnectionManager: RPDaemonRun:
replayd: (UserNotifications) [com.apple.UserNotifications:Connections] [com.apple.ReplayKitNotifications] Creating a user notification center
replayd: _srSetupTempDirectory
replayd:  [INFO] -[SCContentSharingSessionService listener:shouldAcceptNewConnection:]:205 New connection from pid=387 isNotification=1


As for the SIM cards, yep they have that covered too.


CommCenter: [com.apple.CommCenter:DATA.iRatClient.1] #I register with server: <private>
CommCenter: [com.apple.CommCenter:DATA.Connection.DataTest.1] #I checkActivateConnection: change = false activate = false state = kDataConnectionStateIdle fIsActivatingAccrossSimSwap = 0


Unfortunately it really doesn’t matter what brand you switch too. They pretty much infect everything you have, devices and files. Until someone finds the cure, we are their captives. The alternative is to live offline :(


Reply

Sep 27, 2023 5:15 AM in response to IdrisSeabright

Some further events:


mobileactivationd: (libMobileGestalt.dylib) No persisted cache on this platform.
mobileactivationd: (libMobileGestalt.dylib) Property avd[ads-present] found <private>
mobileactivationd: [com.apple.mobileactivationd:daemon] Internal Build: false
mobileactivationd: [com.apple.mobileactivationd:daemon] Hardware Model: J274AP
mobileactivationd: [com.apple.mobileactivationd:daemon] Should Hactivate: false
mobileactivationd: [com.apple.mobileactivationd:daemon] FPGA: false
mobileactivationd: [com.apple.mobileactivationd:daemon] Dev-fused Undemoted: false
mobileactivationd: [com.apple.mobileactivationd:daemon] Prod-fused Demoted: false
mobileactivationd: [com.apple.mobileactivationd:daemon] Activation State: Activated


ContextStoreAgent: (CoreDuet) Simulating crash. Reason: <private>
SoftwareUpdateNotificationManager: (SoftwareUpdateCoreSupport) [com.apple.su:SU] [SIMULATE] DISPATCH: created simulate dispatch queue domain(com.apple.su.core.simulate)
mobileassetd: (SoftwareUpdateCoreSupport) [com.apple.su:SU] [SIMULATE] DISPATCH: created simulate dispatch queue domain(com.apple.MAAuto.core.simulate)
Installer Progress: (AE) [com.apple.appleevents:main] aeGenerateFakeFirstOAPPEventIfNecessary(), needToCreateFakeOAPPEventIfFirstEvent == true
talagent: [com.apple.talagent:log] - -: Finder not yet launched, but pretending it is
CommCenter: [com.apple.CommCenter:rm] #I Pretending that NoBB Radio is on. fNoBBAirplaneMode false  fWiFiAvailable true


appstoreagent: (PlugInKit) [com.apple.PlugInKit:discovery] [d <private>] <PKHost:0x******6f0> Query: {
    NSExtensionIdentifier = "com.apple.TestFlight.ServiceExtension";
    NSExtensionPointName = "com.apple.appstored-services.testflight";
}
appstoreagent: [com.apple.appstored:General] [AgentRunLoop]: Starting TestFlightFeedback service


apsd: [com.apple.apsd:connectionServer] <private>: Initializing connection server with environmentName 'development' and connectionPortName '<private>'
apsd: [com.apple.apsd:courier] <private>: Logging user with uid <private> into environment development
apsd: [com.apple.apsd:daemon] Unknown environment '<private>'
itunescloudd: (ApplePushService) [com.apple.apsd:connection] Initializing APSConnection <private>: env=demo port=com.apple.aps.itunescloudd darkWakeEnabled=YES queue=<private>
itunescloudd: (ApplePushService) [com.apple.apsd:connection] Illegal attempt to use port com.apple.aps.itunescloudd with environment 'demo' when already used for '<private>'


kernel: attempting to load 2 external trust cache modules
kernel: loaded external trust cache module: 0
kernel: loaded external trust cache module: 1
kernel: completed loading external trust cache modules
kernel: initialized XNU provisioning profile data
kernel: initialized PPL provisioning profile data
kernel: (FairPlayIOKit) Warning: arc4random not implemented
kernel: (InvalidateHmac) Beginning SIO HMAC invalidation...
kernel: (InvalidateHmac) SIO HMAC invalidation config = 0
kernel: (InvalidateHmac) Finished SIO HMAC invalidation.
kernel: (AppleMobileFileIntegrity) AMFI: developer mode is force enabled on this platform


There is an agent AppleQEMUGuestAgent with the following plist.


Reinstalling is a waste of time. Apple have also tried. The system also finds a number of 'exceptions' thus nullifying the objective of a fresh install (reinstalling from macOS on an external drive). It also documents the skipping of various disks.



Information is found in the shared memory with a seed number that is deemed as still valid. The system then uses that cached information. A fresh reinstall does not actually fully remove data from the system.


Unauthorised use of Continuity:

ContinuityCaptureAgent: ContinuityCaptureAgent, start
<key>/System/Library/Frameworks/CoreMediaIO.framework/Resources/iOSScreenCapture.plugin/Contents/Resources/iOSScreenCaptureAssistant</key>


imagent misbehaving:


The options for FaceTime, iMessage and Messages/SMS are deactivated and the devices are in Apples Lockdown Mode. 'Changing SMS Push Hander Regiration State to: YES' and 'lockdown passThrought handler for command' indicates imagent is likely to be an an imposter.


There's also plenty more not of our doing. It’s also active on many other people’s Apple tech.

Reply

Sep 19, 2023 9:06 AM in response to IdrisSeabright

triald is legitimate, but has been misused and employed to push experiments (along with geod) onto nearby iOS devices and machines adopted by TrustedPeersHelper. Siri is also used by triald (and others).


Permission restrictions are circumvented using the adoption of ‘personas’ and vouchers from a ‘personaVocuherDictionary’.


usermanagerd: [com.apple.usermanagerd:legacy] setup kernel personas
usermanagerd: [com.apple.usermanagerd:legacy] Started and loaded Personas Successfully
usermanagerd: [com.apple.usermanagerd:legacy] Allocated kernel persona with ID: 1001


It seems ‘Pegasus’ is no longer confined to specific targets, and on only iOS.


Observed activity includes:

- System modification, shared memory interference.

- Very detailed statistics.

- Remote recording of audio and video.

- Screenshots, screen recording, mirroring and virtual monitor.

- Call monitoring: voice call listening, conference and multi-way, call interception, impersonation, call redirection and termination.

- SMS, FaceTime message and iMessage interception and impersonation.

- Sophisticated location monitoring, evidence of CarPlay interference and GPS tracking.

- There is the initial bulk migration of all folders. Copies of recent files are extracted. Files are modified and can be deleted.

- Existing and new files are injected with binary data, some types with executables.

- Contact address book monitoring and any close contacts are also compromised.

- Email hijacking: monitoring, impersonation, interception and removal of emails. Emails are routed through another server.

- Pasteboard hijack.

- Bluetooth and WiFi hijacking.

- Overriding of usersettings.

- Modification of apps.


M1 Macs modified by attackers to dual boot iOS on Mac with fake provisioning profile credentials.


kernel: initialized XNU provisioning profile data
kernel: initialized PPL provisioning profile data
kernel: attempting to load 2 external trust cache modules
kernel: loaded external trust cache module: 0
kernel: loaded external trust cache module: 1
kernel: completed loading external trust cache modules
kernel: CTRR (MMU) Begin: 0x803600000 End: 0x807a23fff, setting lockdown
kernel: (InvalidateHmac) Beginning SIO HMAC invalidation...
kernel: (InvalidateHmac) SIO HMAC invalidation config = 0
kernel: (InvalidateHmac) Finished SIO HMAC invalidation.
kernel: (FairPlayIOKit) Warning: arc4random not implemented
kernel: (AppleARMPlatform) AppleARMBootPerf: Warning: profile->magic (0x42545244) != 'BTRC'
kernel: (AppleMobileFileIntegrity) AMFI: developer mode is force enabled on this platform
kernel: (AppleEmbeddedSimpleSPINORFlasherDriver) virtual bool AppleEmbeddedSimpleSPINORFlasherDriver::start(IOService *): dual-iboot-support = true


The end objective appears to be intel-data collection for use in scams.

Reply

Sep 19, 2023 11:19 AM in response to gravityfed

Pure baloney.

It seems ‘Pegasus’ is no longer confined to specific targets, and on only iOS.

No one who can afford Pegasus will blindly use it against just anyone. It costs $500,000 to setup, and another $560,000 for 16 attacks. And no, it is not iOS only. It's also able to be used on Android phones.

M1 Macs modified by attackers to dual boot iOS on Mac with fake provisioning profile credentials.

Read it again. It says (IOService *), not iOS. That means Input Output Service. Not to mention Macs don't run iOS. It's macOS.

Reply

Sep 27, 2023 4:10 AM in response to IdrisSeabright


IdrisSeabright wrote:

You still haven't provided any documentation. All I see is your speculation.

That is because there is a character limit and the inability to post external links. However, some further information is posted here on this post.


Taunt all you like, the point of speculation has been surpassed by the evidence itself.

Reply

Jun 1, 2023 2:34 AM in response to Mac Jim ID

1) yes it is, no I didn’t do it.

2)setting/cellular\/cellular data: uninstalled data. (Reset the statistic’s daily to make sure)

3)the date was around February 17th (that’s when it got the worst) it was deleted in the phone wipe at apple.

4) unfortunately no. I later discovered that I was being proxied to an alternate cloud server and that was the location of the drops so I was not able to view the video again after I watched it the first time.

5) My phone only crashed one time. It wouldn’t boot. I ended up recovering via Mac book and beta iOS. However my file system changes often depending on what i snoop in and start changing.

6) I am viewing shared files from the file content its self. /bin/busybox:bbconfig , /srv , /etc/network

7) I installed an app from the store. I did not get this app until the end of march. It is the only one that would bypass the blocks and Denys that were set into place.



Reply

Jun 1, 2023 8:39 AM in response to Ky_Panda

The member at the Apple Store should have warned you they do not make any backups before restoring a device. It's up to the user to save their data to another drive or device before bringing it in.


You don't mention the phone being jailbroken (that I can see), but if it is, that's a guaranteed way to make a complete mess of your device. Doing so completely defeats the purpose and design of Apple's OS to make the device as immune to malware as possible.


Apple will not touch a jailbroken device. You must clean this up yourself.


Manually make any backups of your contacts and photos to another drive. DO NOT create a backup to restore after the following since that will also restore the jailbreak software.


  1. Open Settings on the phone and navigate to Your name / Find My. Turn Find My off.


2. Connect your iPhone to the computer and unlock it to the phone's desktop (your six digit code). Open a new folder on the Mac with Command+N. Select your device in the left column.


3. Click on the Restore iPhone… button. You many need to confirm. If so, click ‘Restore’ again.



4. Once the reset is complete, the iPhone will automatically restart. You’ll see the Hello screen, and you can then follow the on screen prompts to set up your iPhone as new.

Reply

Jul 24, 2023 9:04 AM in response to gravityfed

gravityfed wrote:

There is an active exploit in iOS and macOS which allows someone to act in developer mode. I don’t think it is from XNU, but is an exploit in triald. Using a combination of triald, embedded speech Siri commands and (evidence suggests) Firebase App Attest, it can remotely control a computer or iOS device. A similar exploit is currently also active on Android, ChromeOS, HomePods and Chromecast.

Can you provide links to information about this exploit?


All of the links in your post are to legitimate processes. Triald is also a legitimate process.


Reply

May 30, 2023 8:22 AM in response to Ky_Panda

So we know that XNU is the Kernel extension of the Darwin UNIX based operating system that runs both the Mac and iPhone and is not Malware. We are all going to need more info on where you are seeing the problems.

  • Is the iPhone jailbroken?
  • Where are you seeing "Uninstalled Apps" data usage of 300MB/day?
  • Do you know the date of the Screen Recording in the Files Folder?
  • Are you able to view the MetaData of the Screen Recording in Photos?
  • What files did you find a way into that crashed your phone?
  • Where are you viewing a shared connection with "something"?
  • What process did you use to install a "terminal"?
Reply

Jun 1, 2023 2:37 AM in response to Mac Jim ID

I have a compressed file of the system setting that were over written by software they used. I have thousands of screen shots I have been able to hang on to using various methods (lesion learned when Apple Store would not take a copy of anything I had at the start of this and wiped my phone and evidence too.)

Reply

Jun 1, 2023 6:25 AM in response to Ky_Panda

Unfortunately, since your device is Jailbroken, it is very likely that you do have malware. Bad actors are able to listen to you through the microphone, take pictures, record video (without the camera light on), alter system files, monitor your location, send fake messages to your friends and family gained through your Contacts, and much more.


Cydia is a cesspool of malware if you have downloaded any apps from that platform. Apps with legitimate names will likely have a trojan attached that you will not be able to get rid of. They will partition the drive, so even a clean install cannot remove them. In addition to Cydia, apps can be installed just by being redirected to a website without any action by you to install them.


I'm sorry, but there is nothing anyone can do here to return your phone to operate in a safe environment.

Reply

Jun 1, 2023 2:18 PM in response to Kurt Lang

I know I didn’t mention it. Because I didn’t do it. I bought the phone brand new. I know better than to jailbreak an iPhone due to security flaws it brings with it. I did not authorize this software being installed. It’s a long story that leads to my device being in this state but to sum it up; I was helping a friend with their slow android discovered it had a netbootloader installed from a honeypot slots app attempted to remove it and triggered a watchdog alert. Infiltrator became aware and active. When i disabled the second UI the main was uncovered and I seen what was going on. Camera started and it snapped a screenshot of my face. I pulled the battery instantly. Went home and two days later woke up to my phone hacked.

Reply

Jun 1, 2023 3:57 PM in response to Ky_Panda

Did you try to Restore from Kurt Lang's post? You will lose your data as you won't want to Restore from a Backup, but at this point, you need your secure phone back. If this does not work, you may have to try the DFU Restore here: DFU Restore Info


The DFU Restore takes a bit to get the key sequence right, but the article should help. Also, be warned there is the possibility it may fail and also potentially brick your phone depending on if the system has been altered in a way to prevent this action. You will need a computer and can use a Finder window if it is running Catalina or newer.

Reply

Jun 1, 2023 5:04 PM in response to Ky_Panda

Even if what you describe is true, it's extremely unlikely anything that happened on the Android phone has anything to do with your phone.


It would take odds of enormous improbability for the Android's camera to take your photo, send it to the hacker who took over that phone, manage to find a match of your face online to that photo, manage to match your name to that photo, and then against even more insurmountable odds, somehow discover from that both your Apple ID and password.


In short, someone got into your account, but it wasn't from the Android phone taking your picture.

Reply

Sep 27, 2023 8:09 AM in response to gravityfed

gravityfed wrote:

Reinstalling is a waste of time. Apple have also tried. The system also finds a number of 'exceptions' thus nullifying the objective of a fresh install (reinstalling from macOS on an external drive). It also documents the skipping of various disks.


You will want to continue your discussions directly with Apple Support, and potentially with Apple Security, then.


With Lockdown enabled, various service failures are to be expected.

Reply

XNU-Darwin Malware

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.