Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Ky_Panda
Ky_Panda Author
User level: Level 1
9 points

XNU-Darwin Malware

Ok… So my phone started acting up 5 months ago. I threw it into Lockdown Mode. Yet somehow I could not break a shared connection with ?something¿. I kept noticing “uninstalled apps” data usage getting larger and larger (300MB a day) Then I had a mysterious video show up in “Files”. Considering I was well aware that something was already wrong I played the video. It was LITERALLY a screen recording or ANOTHER screen viewing MY screen. I installed a terminal and began investigating. This went on for about a month. It seemed that every time I found a way into the locked down files ”they”(idk who or what it is so I am saying they) would force me into doing a restore or crash the phone where I had to restore anyways. I contacted apple via phone. They were no help. So I paid for a developer account for the beta build and try some unreleased security updates. NOPE. I finally called apple back defeated. The lady kept talking to me like I had no clue how apple os systems worked (Fine) I explained everything the best I could via the phone. She kept asking me why I thought it wasn’t a part of iOS. Finally I got rude with her because I was running out of time. (“They had burned 2 SIM cards, disconnected calls to anyone I was talking to about the problems I was having, deleted files, turned off my cell antenna and activated SOS mode and was still installing and connecting) my co workers and family has witnessed these things for them selves.

MacBook Air 13″, macOS 12.6

Posted on May 30, 2023 7:48 AM

Reply
Question marked as Top-ranking reply
User profile for user: gravityfed
gravityfed
User level: Level 1
135 points

Posted on Jul 22, 2023 11:57 AM

There is an active exploit in iOS and macOS which allows someone to act in developer mode. I don’t think it is from XNU, but is an exploit in triald. Using a combination of triald, embedded speech Siri commands and (evidence suggests) Firebase App Attest, it can remotely control a computer or iOS device. A similar exploit is currently also active on Android, ChromeOS, HomePods and Chromecast.


These methods enable someone to load modified beta apps to your device as well as freely record video/audio and take screenshots. Lockdown is useless as they circumvent it by adding a fake contact into the address book and silently enable FaceTime and iMessage. Bluetooth, wifi, tethering and continuity/handoff are also enabled regardless of whether you have them switched off.


What you experienced probably came from replayd which can also be activated remotely.


ReplayKit security in iOS and iPadOS – Apple Support (AU)

ReplayKit | Apple Developer Documentation


replayd: replayd Starting!
replayd: RPConnectionManager: RPDaemonRun:
replayd: (UserNotifications) [com.apple.UserNotifications:Connections] [com.apple.ReplayKitNotifications] Creating a user notification center
replayd: _srSetupTempDirectory
replayd:  [INFO] -[SCContentSharingSessionService listener:shouldAcceptNewConnection:]:205 New connection from pid=387 isNotification=1


As for the SIM cards, yep they have that covered too.


CommCenter: [com.apple.CommCenter:DATA.iRatClient.1] #I register with server: <private>
CommCenter: [com.apple.CommCenter:DATA.Connection.DataTest.1] #I checkActivateConnection: change = false activate = false state = kDataConnectionStateIdle fIsActivatingAccrossSimSwap = 0


Unfortunately it really doesn’t matter what brand you switch too. They pretty much infect everything you have, devices and files. Until someone finds the cure, we are their captives. The alternative is to live offline :(


View in context

Similar questions

17 replies
Sort By: 

XNU-Darwin Malware

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up