Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

sierracat

macrumors newbie
Original poster
Aug 25, 2021
8
4
Hi everyone. I am new here because I have a specific question related to a confounding situation with my personal Apple devices over the past three months. I have been dealing with very strange behavior and potential remote access on several of my brand new & updated phones, all of which have different AppleIDs and phone numbers.

In my attempts to figure out what has been going on, a forensics guy I hired has noticed a common thread of the accessibility settings changing on their own. It is happening in all of the impacted phones, and we have noticed that there are 20 or so that always reverting to certain shortcuts, even when we try to repeatedly delete or change them. So far over many support calls Apple has been unable to explain why it's happening, but they have admitted at to it being at the very least a "bug" in the accessibility settings for the phones. I know a weakness like this was exploited in Android phones in the past, but I can't find any information about a similar thing in iPhones.

Also, among other troublesome behaviors, I have noticed that the phones will sometimes show a link under "Analytics and Improvements" that an Apple support technician has enrolled my device in a diagnostics session, but when I call Apple to ask what it is about, their own records do not show such a link has been sent by them to my phones.

I have reached out to Apple's security team, but thought I would also reach out here to see if anyone has heard of such things? Also, does anyone have any suggestions for me to figure out what might be going on? I have been taking screenshots of the behavior but so far having a hard time getting traction within Apple -- other than them being stumped and admitting to a software bug.

Thank you! Any help would be much appreciated!
 

now i see it

macrumors G4
Jan 2, 2002
11,257
24,287
20 different iPhones with 20 different Apple IDs can't be all hacked with the same malware.
Apple software is notorious buggy.
That's likely what it is.
 

sierracat

macrumors newbie
Original poster
Aug 25, 2021
8
4
It is not 20 phones, and it has confounded Apple so far, hence my question to the community. Thanks.
 

0128672

Cancelled
Apr 16, 2020
5,962
4,783
Maybe it's time to ask for more details. Are these devices your personal devices or work devices? Which iOS versions are they on?

Which specific shortcuts are you talking about? It might be helpful if we can attempt to reproduce the issue.

When you say "20 or so", what is that referring to? 20 settings? 20 shortcuts?

What had you set them to and what did they change back to? For how long did those shortcuts remain as you had set them, and did anything else change shortly before you noticed they had been changed?

Are you able to change a shortcut, exit, and then relook at the shortcut and see that it was changed from what you had set it to, all within a few minutes?

When you refer to reviewing the Analytics Data on one of your phones, what is the title of that analytics data request, i.e., Analytics-Daily-2021-08-21 etc.?

I have to say this is the first time I've ever read of someone actually hiring a forensics expert to troubleshoot a phone issue.
 
Last edited:

sierracat

macrumors newbie
Original poster
Aug 25, 2021
8
4
image3.jpeg

Here is an image of the diagnostic support link I am getting without Apple sending it or me requesting it. I have screenshots of it happening on several of my phones , and times.
 

0128672

Cancelled
Apr 16, 2020
5,962
4,783
I see what you're seeing. Which of the reset steps have you done on at least one of your phones? If you erase the phones and set up as new, is it still there?

Edit: After thinking about this more, I think you may need to accept Apple's assessment that it's a bug. I can't offer much more than erasing your phone and setting it up as new.
 
Last edited:

sierracat

macrumors newbie
Original poster
Aug 25, 2021
8
4
I have a laundry list of reasons why i know I am dealing with remote access. Settings changing on me, unauthorized camera and mic usage, getting locked out of accounts, new phones heat up intenseley when unplugged and not doing anything, battery life crazy short, seeing the actual cursor moving on the screen, lots of screen glitchiness even on new phones, etc etc. Also, most importantly after an Apple support tech couldnt figure out my issues related to a 2 week old out-of-the box macbook air two months ago, Apple sent me to a certified mac specialist who found and photographed unknown "mobile remote management software" on my new laptop. It later disappeared from the place it was photographed before we could learn any more about it. I have the images and can share them here if helpful.
 

BugeyeSTI

macrumors 604
Aug 19, 2017
7,244
9,089
Arizona/Illinois
Well if you're sure something is going on you should wipe your hard drive on the MacBook Air and reinstall the OS clean and do the same with all your devices and don't use a backup on any of them (set them up as if you just got them for the first time). Then change the password on your AppleID and sign back into iCloud. I'd turn off iPhone analytics and share with developers and any other settings dealing with "sharing with Apple to improve".
 
  • Like
Reactions: ChoiMinji

sierracat

macrumors newbie
Original poster
Aug 25, 2021
8
4
thanks for the advice. i have tried the factory restore (at the apple store on their network) a few times now. I haven't tried to do with w/o sharing analystics, tho.

has anyone here ever heard of getting sent the diagnostics link from an apple support technician when one wasn't requested, and apple doesn't have any record of doing it? it has happened to me on several phones, several times on each. i have more screenshots like the one above and confirmation from apple that they did not initiate it.
 
  • Like
Reactions: BugeyeSTI

BugeyeSTI

macrumors 604
Aug 19, 2017
7,244
9,089
Arizona/Illinois
thanks for the advice. i have tried the factory restore (at the apple store on their network) a few times now. I haven't tried to do with w/o sharing analystics, tho.

has anyone here ever heard of getting sent the diagnostics link from an apple support technician when one wasn't requested, and apple doesn't have any record of doing it? it has happened to me on several phones, several times on each. i have more screenshots like the one above and confirmation from apple that they did not initiate it.
Never, although all of the "share with Apple" are off on my devices and I don't have those options on my screen..
65B292BD-67E2-457D-8AB3-01D7315337BD.png
 

humpbacktwale

macrumors regular
Dec 20, 2019
204
33
I have a laundry list of reasons why i know I am dealing with remote access. Settings changing on me, unauthorized camera and mic usage, getting locked out of accounts, new phones heat up intenseley when unplugged and not doing anything, battery life crazy short, seeing the actual cursor moving on the screen, lots of screen glitchiness even on new phones, etc etc. Also, most importantly after an Apple support tech couldnt figure out my issues related to a 2 week old out-of-the box macbook air two months ago, Apple sent me to a certified mac specialist who found and photographed unknown "mobile remote management software" on my new laptop. It later disappeared from the place it was photographed before we could learn any more about it. I have the images and can share them here if helpful.
If you have pictures of anything, then yes, you should post them.

What settings are changing? How are you aware of unauthorized mic and camera usage? You said a forsenic expert took a look. What network traffic have they identified that would lead you to believe its remote access? Have you jailbroken your devices? Are they up to date?

Edit: Also, where did you get the phones from? What do you mean they photographed the software? They will have made an image of you drive to inspect it, so it shouldn't be gone. Also, we all the phones experiencing the EXACT same issues, or are you describing an aggregate of issues across all of them. What cursor do you mean?
 
Last edited:

sierracat

macrumors newbie
Original poster
Aug 25, 2021
8
4
https://discussions.apple.com/thread/252692257?login=true

I came across a post on the Apple community support forum in which a person talks about seeing the same unrequested/mysterious diagnostics session links on several iPhones, and the poster also mentions feeling remotely accessed / monitored. (It's not the original poster, but scroll down to posts by "disolve.") disolve also describes some other issues (cant turn off location sharing, feels like screen is being read, account stuff, etc etc) and these are totally in line with what I have been seeing for months. The thread is from May 2021, which is around when my issues began, so maybe this is a security issue Apple has not resolved yet?
 

humpbacktwale

macrumors regular
Dec 20, 2019
204
33
No, they are just jumping to conclusions. Its likely a bug. Malware hasn't been able to persisit after a reboot on iOS for a long time, never mind after a DFU restore. Also, they say they "feel" like its being read, which doesn't mean anything. They also mentioned it happens even when they have no external connections to their phone, which wouldn't be possible to screen record then.

Also, if you type in "iphone can't disabled location sharing" on google, you get loads of other posts. Its not an uncommon issue. You still haven't told us what you mean by "unauthorized camera and mic usage"
 

sierracat

macrumors newbie
Original poster
Aug 25, 2021
8
4
my main issue when i said noticed remote access certainly was not solely related to location sharing, thanks. the other poster mentioned it, and i agreed because i had seen it, too.

humpbacktwale -- what exactly is your motivation here, to advocate that no matter what behavior is happening, they must all just be "bugs"? because of apple's pristine security history? recent events would suggest otherwise.

if someone outside of apple is able to send my phones these links and make it seem like they are coming from apple, i assume that would be somewhat a big deal. because, as i understand it, from my admittedly layperson point of view, in a diagnostic session you are sharing your device with the outside, supposedly apple.

my friends who work in digital security seem to think it's actually a new and huge problem that my impacted phones are getting these links and apple has zero record of sending them.

also, this has happened multiple times on all five phones. even after a factory reset, even after turning off and on. even with fully patched iOS.

what i want to know is if anyone else here has heard of anyone's phones receiving repeated & unexplained (fraudulent?) Diagnostic Session links sent that apple has no record of?
 

humpbacktwale

macrumors regular
Dec 20, 2019
204
33
what exactly is your motivation here, to advocate that no matter what behavior is happening, they must all just be "bugs"? because of apple's pristine security history? recent events would suggest otherwise.
To get you to actually answer the questions we have asked to more accurately provide you with advice, as that is clearly what you have came here for. Also, if you are referring to Pegasus, I wouldn't really consider that a misstep on their part. It was an extremely small user set affected, and its a drop in the ocean compared to the amount of issues with Android.
if someone outside of apple is able to send my phones these links and make it seem like they are coming from apple, i assume that would be somewhat a big deal. because, as i understand it, from my admittedly layperson point of view, in a diagnostic session you are sharing your device with the outside, supposedly apple.

my friends who work in digital security seem to think it's actually a new and huge problem that my impacted phones are getting these links and apple has zero record of sending them.
Unless your friends work at Apple, it doesn't matter. Given that there are other people who have seen this, based on that other post, it is likely many other people have it also, and if thats the case, then yes, a UI bug could be a likely explanation.

As for the other things you talk about, they just sound like run of the mill iPhone behaviour. There are hundreds of posts of this forum alone regarding battery drain and heating up. You haven't expanded on the mic or camera access, or how its unauthorized, or about the setting changes. We also don't know if you have any apps that could be the cause.

also, this has happened multiple times on all five phones. even after a factory reset, even after turning off and on. even with fully patched iOS.
Well unfortuantely, you haven't given us any information about these phones. Make, model, how old, are they restored from backups, were they all restored from the same backups, were they all connected to the same Mac, which you state had remote access software, but then have not posted anything about.

It seems like this could be a UI bug, given the only other post is a relatively recent one.
 

B.williams27610

macrumors newbie
Nov 19, 2021
1
1
Hi everyone. I am new here because I have a specific question related to a confounding situation with my personal Apple devices over the past three months. I have been dealing with very strange behavior and potential remote access on several of my brand new & updated phones, all of which have different AppleIDs and phone numbers.

In my attempts to figure out what has been going on, a forensics guy I hired has noticed a common thread of the accessibility settings changing on their own. It is happening in all of the impacted phones, and we have noticed that there are 20 or so that always reverting to certain shortcuts, even when we try to repeatedly delete or change them. So far over many support calls Apple has been unable to explain why it's happening, but they have admitted at to it being at the very least a "bug" in the accessibility settings for the phones. I know a weakness like this was exploited in Android phones in the past, but I can't find any information about a similar thing in iPhones.

Also, among other troublesome behaviors, I have noticed that the phones will sometimes show a link under "Analytics and Improvements" that an Apple support technician has enrolled my device in a diagnostics session, but when I call Apple to ask what it is about, their own records do not show such a link has been sent by them to my phones.

I have reached out to Apple's security team, but thought I would also reach out here to see if anyone has heard of such things? Also, does anyone have any suggestions for me to figure out what might be going on? I have been taking screenshots of the behavior but so far having a hard time getting traction within Apple -- other than them being stumped and admitting to a software bug.

Thank you! Any help would be much appreciated!
Were you ever able to figure this out? Did it continue happening or stop? Did anything else happen..? Like your email and I cloud accounts signing you out or anyone trying to take money out of your account..? Hmu pls
 
  • Like
Reactions: DaveS86

Fred Zed

macrumors 603
Aug 15, 2019
5,877
6,550
Upstate NY . Was FL.
I have a laundry list of reasons why i know I am dealing with remote access. Settings changing on me, unauthorized camera and mic usage, getting locked out of accounts, new phones heat up intenseley when unplugged and not doing anything, battery life crazy short, seeing the actual cursor moving on the screen, lots of screen glitchiness even on new phones, etc etc. Also, most importantly after an Apple support tech couldnt figure out my issues related to a 2 week old out-of-the box macbook air two months ago, Apple sent me to a certified mac specialist who found and photographed unknown "mobile remote management software" on my new laptop. It later disappeared from the place it was photographed before we could learn any more about it. I have the images and can share them here if helpful.
If you’re truly seeing those symptoms then wipe the device and sell it.
 

arec

macrumors newbie
Jun 23, 2022
1
0
Leeds, England
Hi everyone. I am new here because I have a specific question related to a confounding situation with my personal Apple devices over the past three months. I have been dealing with very strange behavior and potential remote access on several of my brand new & updated phones, all of which have different AppleIDs and phone numbers.

In my attempts to figure out what has been going on, a forensics guy I hired has noticed a common thread of the accessibility settings changing on their own. It is happening in all of the impacted phones, and we have noticed that there are 20 or so that always reverting to certain shortcuts, even when we try to repeatedly delete or change them. So far over many support calls Apple has been unable to explain why it's happening, but they have admitted at to it being at the very least a "bug" in the accessibility settings for the phones. I know a weakness like this was exploited in Android phones in the past, but I can't find any information about a similar thing in iPhones.

Also, among other troublesome behaviors, I have noticed that the phones will sometimes show a link under "Analytics and Improvements" that an Apple support technician has enrolled my device in a diagnostics session, but when I call Apple to ask what it is about, their own records do not show such a link has been sent by them to my phones.

I have reached out to Apple's security team, but thought I would also reach out here to see if anyone has heard of such things? Also, does anyone have any suggestions for me to figure out what might be going on? I have been taking screenshots of the behavior but so far having a hard time getting traction within Apple -- other than them being stumped and admitting to a software bug.

Thank you! Any help would be much appreciated!
Hi, its 2022 and i have the same problem. i changed 3x iclouds, changed 2x sim card, factory reset...
someone asked about more info:
- strange settings on:
maps, apple tv, weather, podcasts, notes etc.
- You can remove apps but they arę working on background
and url is https://www.com.apple.maps
or https://www.com.google.chrome.ios
* Your device removed data/apps without your permission, slowly but does.
*Your facetime video, never was provider by facetime app!!
*millions analitics reports with crash, bugs, false data
*very offten poor video call with background sounds.
*you cant reboot phone, just switched off, issues with icloud account, invalid passwords...
* face id, boicie centrolewicy, zoom etc. options changed after 1-2 hrs, and you can see diffrent displeyes settings, heared sounds.
*blocked phone calls
* strange shortscuts history
* too many strange notifications windows, you couldnt close them without press some options. sometimes 5 in the row....
*never open "lazy" www
* double supscripions of the same app im the same time (1 bought day latter) or after completed set up new app, with free trial, application cant open these settings and ask for purchase, even you click OK, nothing change.
* fake emails from apple

* very offten my phone connected to wifi/bluetooth without any permission or notification...
sometimes even i switched off mobile network BT, wifi i still had conection.
*camera settings back to:
- live photo, multiple photos in one, recording voice,
- safari/google open www with advice/options/solution for MAC or Android
* much bigger data usługę compered to past simillar period.
* also familly sharing, clouds, all very suspects
its enough?
still just bugs?
i bought 2 android phones,
iphone 7 and after few hrs all has the ame issues.
i changed settings even a few times per day...
My current phone
iphone 13 pro 128, ID mobile, UK, unlocked device straight from Vodafone( swapped with my gf she had 12 pro max)

sorry for mistakes, i dont know what to do...
i have to switched off emoji..
 

Hoortheynyway

macrumors newbie
Dec 2, 2022
1
1
I’m having similar issues, for a while now. I had a SE second generation I traded that in for an iPhone 13. Running iOS 16.1 I think. Whatever current version is. Both phones and my iPad excuse me I have an iPad Pro 2016. Also running current version. My health is disabled and iCloud it says but there’s an alternate account in my health.. it’s named what, it’s not mine. And I can’t access it. Health is now disappeared from both my iPhone and my iPad so there’s not even a place in settings to access it. The only way I can find it is if I go into iCloud storage and it’s in there. My phone and iPad both get hot randomly. My settings change themselves. By that I mean I can go into screen time, content restrictions and switch a bunch of them to don’t allow, click out wait a minute go back in and they’ll all be back to normal or back to default.
On my Cox Wifi panoramic, it shows up each device has two separate listings same hardware ID but different MAC address, one says connected to the panoramic Wi-Fi the other one says connection unknown. Pictures appear that I have taken months ago or a month ago or so as my most recent picture. I saw a white cursor move briefly on my iPad like somebody was sitting at a desk top. My location is never where I’m at, I am always in Montana, Colorado, New Mexico, everywhere but Arizona. No VPN. Or I guess it doesn’t matter if they have a VPN on or off. My analytics, full of jet Sam events, micro stacks, DAS delegate. AWDD some thing. You name it it’s in there. If I go into my screen time or sorry, privacy and go down to App report.. my various Apple apps are constantly accessing my Contacts my Photos my health my calendars. I can’t delete my calendars there’s a ton of information in there a ton of storage being used I don’t have any events but I’ve got a crap ton it says in storage. It will not let me delete it even though I’ve already deleted the whole app and it’s still on the screen. Also, I realized that my phone was sending texts from August beginning of August till I found it late September early October think. Just random conversations different people.. different subjects, different days. That the texts would be sent from a number that showed up as unavailable. It was my primary number and underneath that it said unavailable and that was what those texts were coming from. I purchased imazing and I copied my messages into Excel form. It ran one excel form for all my regular text messages that came from my primary number and another set for all of the ones that came from the unavailable number. I talked to Apple I did do a full reset set it up as a new phone. It worked for like a day. And then everything came right back. I’ve tried so many different security things I’ve tried turning everything off I’ve tried lockdown I’ve tried everything.
My apps on my phone and iPad keeps signing me out. Apple was supposed to call me back they never did I was kind of over it. I just happened to stumble onto this. Can anyone help did anyone ever figure out an answer to all this? It’s driving me insane. I spend so much time during the day checking my settings and seeing what’s going on. It’s driving me nuts plus, I don’t like feeling like somebody is watching me. And somebody definitely is. Something is going on. HELP!!!
 

Attachments

  • 7ADC681C-56F8-43CA-88A4-C3609F83E652.png
    7ADC681C-56F8-43CA-88A4-C3609F83E652.png
    400.2 KB · Views: 271
  • F98AA56C-5104-422F-A5E8-3689CB7B15C6.png
    F98AA56C-5104-422F-A5E8-3689CB7B15C6.png
    179.4 KB · Views: 207
  • B30B39B4-8FA6-4480-98FA-FDDF5FBE97BD.png
    B30B39B4-8FA6-4480-98FA-FDDF5FBE97BD.png
    361.9 KB · Views: 273
  • A66ECC5E-2CA1-4DE0-ADEA-3086B16F72C5.jpeg
    A66ECC5E-2CA1-4DE0-ADEA-3086B16F72C5.jpeg
    277.1 KB · Views: 222
  • E8FD58A9-619E-4D52-B850-3FF69C539581.jpeg
    E8FD58A9-619E-4D52-B850-3FF69C539581.jpeg
    202.4 KB · Views: 211
  • 0F768241-03AB-419D-BCC7-04F02D220CB9.jpeg
    0F768241-03AB-419D-BCC7-04F02D220CB9.jpeg
    191.1 KB · Views: 235
  • Like
Reactions: cmariewilson

2Bjusme

macrumors newbie
Jul 19, 2023
1
0
Hi, its 2022 and i have the same problem. i changed 3x iclouds, changed 2x sim card, factory reset...
someone asked about more info:
- strange settings on:
maps, apple tv, weather, podcasts, notes etc.
- You can remove apps but they arę working on background
and url is https://www.com.apple.maps
or https://www.com.google.chrome.ios
* Your device removed data/apps without your permission, slowly but does.
*Your facetime video, never was provider by facetime app!!
*millions analitics reports with crash, bugs, false data
*very offten poor video call with background sounds.
*you cant reboot phone, just switched off, issues with icloud account, invalid passwords...
* face id, boicie centrolewicy, zoom etc. options changed after 1-2 hrs, and you can see diffrent displeyes settings, heared sounds.
*blocked phone calls
* strange shortscuts history
* too many strange notifications windows, you couldnt close them without press some options. sometimes 5 in the row....
*never open "lazy" www
* double supscripions of the same app im the same time (1 bought day latter) or after completed set up new app, with free trial, application cant open these settings and ask for purchase, even you click OK, nothing change.
* fake emails from apple

* very offten my phone connected to wifi/bluetooth without any permission or notification...
sometimes even i switched off mobile network BT, wifi i still had conection.
*camera settings back to:
- live photo, multiple photos in one, recording voice,
- safari/google open www with advice/options/solution for MAC or Android
* much bigger data usługę compered to past simillar period.
* also familly sharing, clouds, all very suspects
its enough?
still just bugs?
i bought 2 android phones,
iphone 7 and after few hrs all has the ame issues.
i changed settings even a few times per day...
My current phone
iphone 13 pro 128, ID mobile, UK, unlocked device straight from Vodafone( swapped with my gf she had 12 pro max)

sorry for mistakes, i dont know what to do...
i have to switched off emoji..
Hi there, it’s July 2023 and I’m experiencing everything you guys mentioned! Exactly like y’all said! It’s driving me insane also. I keep getting connected to public Wi-Fi instead of my in home Wi-Fi. tons of reports being run when everything is turned off under analytics. I have logs showing my smart devices have been enrolled under “Business manager” In thinking Apple Business Essentials has the tools to do what’s happening. Pls let me know if you’re still experiencing this. My husband passed away Valentine’s Day so I’m not trying to lose our pictures or messages. I’ll attach some screen shots I have. I have hundreds though. Screen time was being used to control my devices from another device with a name similar to my iPad. I can no longer use my iPad or Apple Watch because they were being used to control my iPhone and pull logs. Short cuts set up to send my last picture taken some where?... reminders are set up on going to send an unfamiliar text now phone number notifications when I leave the house and when I get back. I’m actually scared for my life and that of my daughters because I don’t have my husband to protect us any more.
I attached the files I’ve found in my files app but don’t know if y’all will be able to see them. Well here’s a try
 

Attachments

  • OMW.txt
    195.3 KB · Views: 121
  • IMG_0458.png
    IMG_0458.png
    123.3 KB · Views: 178
  • IMG_0466.png
    IMG_0466.png
    781.3 KB · Views: 158
  • IMG_0352.png
    IMG_0352.png
    203.1 KB · Views: 169
  • IMG_0350.png
    IMG_0350.png
    283 KB · Views: 159
  • IMG_0409.png
    IMG_0409.png
    845.5 KB · Views: 149
  • IMG_0330.png
    IMG_0330.png
    134.9 KB · Views: 162
  • IMG_0106.png
    IMG_0106.png
    869.1 KB · Views: 148
  • IMG_0058.png
    IMG_0058.png
    187 KB · Views: 157
  • IMG_0157.png
    IMG_0157.png
    228.9 KB · Views: 141
  • IMG_0155.png
    IMG_0155.png
    667.7 KB · Views: 138
  • IMG_0202.png
    IMG_0202.png
    426.2 KB · Views: 156
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.