User profile for user: Dovaleh
Dovaleh Author
User level: Level 1
17 points

iPhone 12 Pro Max and 3 other iPhones in the households have been compromised - RAT - Spyware - Malware - Hacked

Writing from Toronto, Ontario, Canada


I strongly believe that my phone has been compromised.


A few weeks ago, I noticed unusual behavior on my iPhone 12 Pro Max. About three weeks ago, I was driving back to Toronto and lost cell connectivity, which happens sometimes. However, I noticed my location services arrow was on, prompting me to open the Find My app. Normally, when you open Find My, it shows the last known location before updating to your current location. At 7:08 pm, the app showed my phone at an unfamiliar address in Toronto, which I've never been to. Two minutes later, it updated to show my phone at my home address, and then a few seconds later, at my current location. I have screenshots of all of this. No VPNs were installed, so I found this odd and concerning.


Since then, I've noticed my iPhone randomly using the microphone, camera, and location services—sometimes collectively, sometimes individually. I don't have any apps running in the background, and my location services are set to "only when using the app." I have the Privacy Report turned on and have noticed that my privacy is being accessed multiple times a day when I'm not using the phone.


I've also found full conversations from four specific contacts (out of my 2,000 contacts) in the recently deleted section of iMessage. I recovered them, but noticed someone tried to move them back there again, and then my iMessage syncing was paused indefinitely. Additionally, my Microsoft Authenticator app was tampered with, causing my main account to be deleted from Microsoft's servers. It took four days of phone calls with Microsoft to restore it.


I've experienced other strange behaviors, such as my phone getting extremely hot, some contacts being muted (mainly close contacts like family and friends), and 2FA messages going straight to recently deleted without hitting my inbox. Two other iPhones—both 8 Plus models—are experiencing similar issues, but my phone seems to be the most affected.


I started using a new loaner phone (iPhone 11 Pro) and a new iPhone 15 Pro Max, but I've noticed strange things happening on those as well, such as the mic, camera, and location services activating on the iPhone 11 Pro, and touched screen movements on the iPhone 15 Pro Max without any physical contact.


I'm tech-savvy, and I don't let anyone use my phone. It's secured with a long alphanumeric password, and it's not jailbroken—none of them are. I've been in touch with Apple Support multiple times, from Level 1 to a Senior Advisor, and even the Apple engineering team. They ran a scan on the phone and reviewed the iOS code, which came back clean, so they weren't concerned. However, they didn't address the vulnerability of their code or the fact that something is clearly wrong. They pawned it off to the local authorities (who have an incident report open but are doing nothing) and my cellular provider (Rogers), who also doesn't care.


I took my phone to a computer forensics company that uses Cellebrite and a UFED machine for a deep scan. They told me they could run the scan, but it would only tell me if the phone was compromised or not, and it would cost the equivalent of two brand-new iPhone 15 Pro Max phones. I declined the scan, but they did mention the phone was exhibiting unusual behaviors.


I'm extremely frustrated with Apple's response. They don't seem to care due to the rarity of the situation and the belief that Apple devices are 100% secure. But they can be compromised—look up Pegasus by NSO Group, or Google: Citizen Lab.


Someone has breached my device, has remote access, and is invading my privacy, stalking me, and harassing me with nonstop calls daily. It's a sad and pathetic situation, and I suspect I know who might be doing this.


There are other threads on the Apple support forum that discuss similar issues.

RAT remote access - Apple Community


I acknowledge and understand the rarity of all of this, however, it does exist.


Has anyone else experienced anything like this? If so, has it been resolved, and how?


iPhone 12 Pro Max

Posted on Aug 10, 2024 01:10 PM

Reply

Similar questions

6 replies
User profile for user: Lawrence Finch
Lawrence Finch
Community+ 2025
User level: Level 10
226,648 points

Aug 10, 2024 02:05 PM in response to Dovaleh

I am absolutely convinced that your iPhone has not been compromised, unless it is the only one in the world among the 1 billion+ iPhones in use.


Unless you are a major player on the world stage: Drug lord, dissident in a country with a repressive government, active journalist covering major political intrigue. Pegasus costs several million dollars to install, and hundreds of thousands for each compromised device. So unless you are worth that much you are not a target.


What it sounds like to me is ghost touch, as hardware defect that simulates touches to the screen that didn’t actually happen.


I’ll add that if I truly believed that my iPhone was hacked I would get rid of it and go back to a basic dumb flip phone.


Have you run the safety check→How Safety Check on iPhone works to keep you safe 

Reply
User profile for user: Dovaleh
Dovaleh Author
User level: Level 1
17 points

Aug 10, 2024 02:43 PM in response to Mac Jim ID

Mac, I appreciate your response and reply. I have taken it to experts to assess and review. They have seen the device while it was turned on. They have seen the screenshots as well of the abnormalities as described in my post in addition to other abnormalities as well that were not addressed publicly (for privacy). They had no explanation.


Again, I am NOT suggesting that it was Pegasus, however, there are some scripts that operate in a similar manner. 10 Years ago when Pegasus started, yes, it was mindblowing and unheard of. Today, there have been 10+ other companies / groups that have emerged since in addition to private groups / individuals that can code these scripts to exploit 0day security vulnerabilities.


It's all online. Citizen Lab - the forensics lab at the University of Toronto, works hand-in-hand with law-enforcement all over the world, publishes all their findings, and case studies on the subject. - See links below including the last link directly from Apple.com on the subject.


https://citizenlab.ca/


https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/


https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/


About Apple threat notifications and protecting against mercenary spyware - Apple Support (CA)


Reply
User profile for user: Mac Jim ID
Mac Jim ID
User level: Level 9
53,504 points

Aug 10, 2024 02:07 PM in response to Dovaleh

First to ease your concern about the RAT discussion link you provided:

  • There is a well known scam email that uses the term RAT for Remote Access Trojan and is nothing more than a scam that has scared many people.
  • Users also post RAT diagnostic screenshots where they believe that it is showing them Remote Access, usually this is started from Social Media sites. What the screenshots show as RAT are actually Radio Access Technology used by your cell provider to diagnose signal issues.


Unless you are a high value target or government official where another government spy agency is willing to spend $500,000 - $1,000,000 per device to spy on you, then you have nothing to worry about with Pegasus or the NSO Group. If you fall in this category, then you should be taking other measures to provide for your security.


As for symptoms, your phone running hot is not an indicator of any nefarious activity. When opening the FindMy app, your location will bounce around and happens more frequently when you are in a weak cell area. The location will update with the least accurate information first and goes through a progression of using Wifi location, Cell Tower location, and finally GPS location (which will take the most amount of time to calculate).


How much free space do you have left on your device and in iCloud for services such as iMessage? You will get unexpected results when the storage space is limited including excessive heat and missing data. Apps automatically opening and things moving around your screen are reported every time the digitizer fails in the screen. For those that had that problem, replacing the screen resolved it.


I know there is nothing anyone here will be able to tell you to convince you otherwise, so consider going to an Intelligence Agency in your country. Anyone that is going to charge you to tell you if your phone is compromised is only playing into your fears and will gladly take your money if you are willing to give it to them.


Reply
User profile for user: Dovaleh
Dovaleh Author
User level: Level 1
17 points

Aug 10, 2024 02:29 PM in response to Lawrence Finch

Lawrence, respectfully, you're mistaken. Pegasus does not cost millions of dollars to install. It's licensed per device for a 5-digit figure. Please read up more on it including Predator spyware as well. You'd be very surprised. You'd also be surprised that IT IS possible to install inject a script into the phone through an exploit (0-day at best). Why do you suppose Apple releases security patches every so often? July 29, 2024's releases were all noted security-related patches (CVE).


You have also responded to just one of the several unexplainable examples above. This was also brought to CFI (Forensics) here: https://www.computerforensics.ca/index.html to assess. They've seen iPhone spyware themselves on 2 separate occasions in the past. It's a rigorous process that takes approximately a month of human analyzing the code and raw data on the phone itself at the Kernel level. They are licensed and use Cellebrite and a UFED device to scan and analyze. Without scanning, they had mentioned that my phone was exhibiting unusual and unexplainable behaviors. Please don't trivialize this, due to the rarity of it and the lack of knowledge and experience on the subject.


I have run a safety check on it. Yes.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

iPhone 12 Pro Max and 3 other iPhones in the households have been compromised - RAT - Spyware - Malware - Hacked

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up