I am on holiday in Vietnam and I had to replace the screen of my iPhone 12 mini. The assistance asked me to give them my PIN (I did). They did the job but today I noticed the 3utools app was installed on my phone. Have I been hacked? What can they do? What should I do?
[Re-Titled by Moderator]
iPhone 12 mini, iOS 17
I couldn't erase my phone because apparently Face ID was disabled since there were issues with TrueDepth. I managed to erase it using Find My Phone from the web.
Whoever did the work on your phone did their best to keep both your own device and account out of your own hands.
The issue now is that I couldn't access with my original Apple ID because it asks me for a verification code, but I don't receive it.
That means they changed the 2FA contacts in your account. Which again was done to keep you from accessing your own account so they can control it. Proof of that is you're asked for a phone number you don't recognize.
When you erased your phone through Find My, did it restart with the "Hello" screen? If so, then it's been properly erased back to factory condition, and any garbage they installed is gone.
Rather than using icloud.com, via a web browser on your computer, can you get back into your account at:
If so, the first tab the page goes to is Sign-In and Security. It should look like this:
Change anything that is not your info back to where it should be. That would most importantly be:
Email & Phone Numbers
Password
Account Security
Notification Email
The last three are the most important to change first so these crooks don't know (hopefully, soon enough) that you are in your account removing their edits. Depending on how close attention they are paying, you may have to do these very quickly so they don't jump into your account and change things at the same time you are.
I think I would start with Account Security. Remove any devices or phone numbers you don't recognize. Make sure to add your computer, whether that's a Mac or PC so the 6 digit authentication notices can get to more than just your phone. Change the password immediately after. Then the Notification Email and finally, the Email & Phone Number section.
If you can't even get into your account this way, then about your only hope is to visit an Apple Store, let them know what happened and see if they can wrest your account away from the crooks.
As a final resort, if all of the above fails, you'll have to abandon the account and create a new one. You will lose any purchased apps and music. Also any photos and contact info you have not backed up from iCloud to another device.
Edit
Before doing any of the above, go back to icloud.com, where you erased your phone from. You'll see these big buttons at the lower left:
Those aren't just for looks. They're buttons as a way to access this data from your browser. Take the opportunity to click each one you need to get data from and save it to your computer. Contacts and Photos of course, and whatever else you think is important.
By doing this first, you'll at least have this data backed up before possibly getting into a war over control of your account.
I couldn't erase my phone because apparently Face ID was disabled since there were issues with TrueDepth. I managed to erase it using Find My Phone from the web.
Whoever did the work on your phone did their best to keep both your own device and account out of your own hands.
The issue now is that I couldn't access with my original Apple ID because it asks me for a verification code, but I don't receive it.
That means they changed the 2FA contacts in your account. Which again was done to keep you from accessing your own account so they can control it. Proof of that is you're asked for a phone number you don't recognize.
When you erased your phone through Find My, did it restart with the "Hello" screen? If so, then it's been properly erased back to factory condition, and any garbage they installed is gone.
Rather than using icloud.com, via a web browser on your computer, can you get back into your account at:
If so, the first tab the page goes to is Sign-In and Security. It should look like this:
Change anything that is not your info back to where it should be. That would most importantly be:
Email & Phone Numbers
Password
Account Security
Notification Email
The last three are the most important to change first so these crooks don't know (hopefully, soon enough) that you are in your account removing their edits. Depending on how close attention they are paying, you may have to do these very quickly so they don't jump into your account and change things at the same time you are.
I think I would start with Account Security. Remove any devices or phone numbers you don't recognize. Make sure to add your computer, whether that's a Mac or PC so the 6 digit authentication notices can get to more than just your phone. Change the password immediately after. Then the Notification Email and finally, the Email & Phone Number section.
If you can't even get into your account this way, then about your only hope is to visit an Apple Store, let them know what happened and see if they can wrest your account away from the crooks.
As a final resort, if all of the above fails, you'll have to abandon the account and create a new one. You will lose any purchased apps and music. Also any photos and contact info you have not backed up from iCloud to another device.
Edit
Before doing any of the above, go back to icloud.com, where you erased your phone from. You'll see these big buttons at the lower left:
Those aren't just for looks. They're buttons as a way to access this data from your browser. Take the opportunity to click each one you need to get data from and save it to your computer. Contacts and Photos of course, and whatever else you think is important.
By doing this first, you'll at least have this data backed up before possibly getting into a war over control of your account.
Among other things it can do, 3utools is a jailbreaking app. You have to assume they jailbroke your phone so they could put hidden malware on it. Which could be anything.
Absolutely do not use the phone for anything critical, such as banking, as it may transmit your account number and password to the crooks (and crooks are what they are).
You're going to have to erase the device as new. If you have a backup you made before going to Vietnam, you can restore that after the erase. Any backup you make now would also backup any installed malware, making any such backup useless.
After erasing the phone, login to your same user account. That should automatically restore your contacts, music, photos, and other such items that get stored to iCloud. If you did have a previous full backup to restore, all of that will already be back on the phone when the restore is complete.
Then, without hesitation, change the password on your Apple account. I would also contact any banking or financial institutions that could be accessed from your phone. Let them know what happened so they can watch for fraudulent activity. Change your passwords for all such accounts immediately.
Wabbaaa Said:
"I am on holiday in Vietnam and I had to replace the screen of my iPhone 12 mini. The assistance asked me to give them my PIN (I did). They did the job but today I noticed the 3utools app was installed on my phone. Have I been hacked? What can they do? What should I do?"
-------
Don't Share your Passcode:
So, which did you provide: Your "PIN"? Or your "Passcode"? Prior to getting this serviced, Change your passcode, if provided. Next time you go a bout getting it serviced, make one up, and write it down. Then, reset it to what it originally was.
Resetting to Factory Settings:
If you are so concerned, then reset you iPhone to factory settings, as if you were to sell it. Go here: What to do Before you Sell, Give Away, or Trade in your iPhone, iPad, or iPod touch - Apple Support. Perform as instructed there, including the backup creation and iCloud logout.
Wabbaaa Said:
"Many thanks for your reply. I gave them my passcode. I can't signout from iCloud, the 'Sign out' button is grayed out. I also can't make a backup right now but I don't care, if I proceed with the factory **** will I be safe?"
-------
Indeed, it seems to be a scam. But, there is a way to go about getting a button un-greyed-out...
If a Button is Greyed Out:
Try Ridding of "System Data":
When a button become greyed-out, sometimes, you need to clear the caches. It basically contains unnecessary files such as caches that are used for system ease of use - all of which gather over time: How to Clear "Other" in your iPhone's Storage - Use Backup - User Tips. Caches would be being used for remembrance of application use.
skyterial Said:
“Thanks a lot, I managed to erase my phone one way or another, please read the other reply I gave to Kurt Lang and see if you can help me recover my account (I am writing from another account because I lost the access to the one I used to ask the original question)”
———-
You are welcome.
Getting Back in to your Account:
Give Apple a Call for assistance with getting back in. You may need to go into an Apple Store to get back into your Account.
Apple Contact Info:
Screenshare while Talking with the Apple Rep:
Screenshare with the Apple Rep, by hovering a friend’s phone over your phone while the microphone is enabled. That way, they can see this firsthand, from your perspective. Learn more at my user tip: Screensharing MacOS FaceTime to Easily Converse Over-the-Phone with Apple Support
I was afraid of that. Since they don't know the current password, Apple can't get into the account, either.
I do wonder how the crooks at the shop got that far to begin with. Did you supply them with your password before they would replace the screen?
But regardless, the chances you will ever be able to get back into your account is extremely low. You'll just have to consider it lost, and whatever was on it that hadn't been backed up.
Starting with your phone completely reset (starts up to the "Hello" setup screen), create a new email account and make that your new Apple ID. Make sure to use a strong password.
Many thanks for your reply. I gave them my passcode. I can't signout from iCloud, the "Sign out" button is grayed out. I also can't make a backup right now but I don't care, if I proceed with the factory reset will I be safe?
Thanks a lot, I managed to erase my phone one way or another, please read the other reply I gave to Kurt Lang and see if you can help me recover my account (I am writing from another account because I lost the access to the one I used to ask the original question).
As you guessed, unfortunately I can't access my account. I need to know at least the trusted number, which is one that I either don't remember or has been changed by the offenders. I also talked to the Apple support by phone, but they can't do anything if I don't remember or know the trusted number. It's a bit crazy in my opinion that someone knows ID and password of his account and could provide any possible info to provide verification for his own identity, but if he forgot the trusted number (or has been changed by account robbers) he can no longer access it. I really appreciated all the help, unfortunately I have to accept the fact that I will never recover my account. Thanks a lot.
I've managed to talk to someone from the Apple Support by phone. Unfortunately they told me they can't do anything more than the automated procedure of account recovery I could already try myself online. They can't do anything without the trusted number, which is hilarious because it could have been changed by the offenders. I find paradoxical that if one knows ID and password of his own account and is able to provide any info, live videocall included, to verify his own identity, can not recover it because he forgot the trusted number (or has been changed by the offenders). Maybe the only tentative I've left is to go to an offical Apple Store once back to Europe to see if they can do anything, but I strongly doubt it at this point. I want to thank you for all the help, it was really appreciated.
You are most welcome. Excellent job troubleshooting!
What should I do if I suspect my iPhone is hacked?
