Scammed iPhone 13
I have a question regarding the possibility of hacking/remotely accessing/installing a spyware/malware on an iPhone 13 Pro.
The perpetrator, the husband during divorce proceedings, has physical access to his wife's previous iPhone 8 (which he appropriated at the beginning of the divorce case) that has not been marked as lost, and its content has not been remotely erased. Instead the Apple ID on the phone has the location notification feature enabled in case it comes within range of a GSM/Internet network - all was reported to the police.
Today, during the spouses' conversation via iMessage, a zip file appeared in her window containing an exported chat from WhatsApp between me and my principal (I'm a legal counsel representing her in the case), appearing as if she sent the compressed conversation file to her husband. In addition to matters covered by professional secrecy, the chat included discussions on legal strategy, proposed directions for the divorce case, asset division, child contact, etc.
After the phone appropriation last year, the woman changed the passwords associated with the Apple ID and Gmail but did not change the Apple ID email itself. Considering the physical access to the previous phone by the husband, I wonder if remote access to the current phone, exporting the chat, and sending it to himself pretending it was done by his wife would be possible. Exporting WhatsApp chat cannot be done accidentally as exporting requires at least few steps.
We checked the phone for applications like TeamViewer, devices logged into WhatsApp Web, devices linked to the Apple ID, but found nothing.
Apple does not provide login history from Apple ID/iCloud. I assume that these logs contain IP addresses of devices logging into the account and possibly their location/network provider's name.
The only possibilities I see are (i) breaking the password from the pool of passwords used by the wife, although she claims to have unique ones, (ii) logging into the Apple ID through a phone in physical possession of the husband - although the phone should send a notification when in range of an Internet network, this option seems doubtful to me (iii) installing a malware/spyware some time ago already
The main lead I see here is having physical access to the previous device and the Apple ID still linked to the same Gmail address and a new phone (albeit under a different password). However, I'm still wondering how the WhatsApp chat was generated (live - it was not extracted from iCloud backup), which later appeared in the iMessage window, as WhatsApp, being a non-Apple app, does not exchange data with the iOS system and has its own ringfencing.
Perhaps an application allowing such operations was installed on the phone, but I lack knowledge in this area and upon checking all installed apps we found nothing as mentioned earlier.
I'd appreciate any ideas on how to tackle this problem - apart from reporting it to the police which is already done, but most probably will give zero effects.
iPhone 13 Pro