Australian man alleges all of his iOS and macOS devices have been persistently hacked

By Darryl Boxberger

An Australian man claims to be the victim of an incredibly wide and persistent hack of all of his Apple devices -- but his claims that a dating app did it don't quite add up.

Credit: Malcolm Owen, AppleInsider

Towards the tail-end of 2019, Simon Edwards noticed that legitimate websites began being populated by pop-up ads. He also encountered trouble sending emails even if the email service had confirmed a successful delivery, and his screens would "constantly jump and shake."

He began receiving dozens of scam calls a week. Then, he noticed that app icons on his phone would gray out and become unusable. Soon after, he resorted to factory resetting his iPhone "every two hours".

His smart TV, car, and security cameras were connected to the iPhone via Bluetooth. He noticed that apps were disappearing, and the security cameras would occasionally come up with gaps in their feeds. He also noticed that a "Pegasus spyware warning" would show up whenever he sent an email. Screen Mirroring has also been turned on inexplicably, streaming the live displays of his iPhone and laptop to "an unknown person."

At the same time, he began to lose his social media accounts to hackers, he told News.com.au. After hackers racked up debt in his name, he had to cancel his credit card. His bank had to recover around $8000 in fraudulent spending on his credit card, Afterpay, and Uber accounts. $1500 was spent through his Apple ID account. A fraudulent tax agent added themselves to his ATO tax account, changing years of his tax lodgings, and tried to intercept a $10,000 tax return.

He began to wonder how the cyberattacks had been occurring. He first believed a work computer of his was infected and had spread the malicious code to the rest of his devices. This claim has been denied emphatically by his employer. His employer has also hired an independent third-party IT contractor, the latter finding no signs of any cyber breach on any of the firm's work devices.

Edwards took his iPhone and laptop to a Melbourne Apple Store near the end of 2019 in hopes of resolving "odd things happening" on those devices. While the original appointment was inconclusive, an Apple technician reached out six months after the appointment.

The technician told him that his iPhone was part of a Family Sharing plan without his knowledge, with his phone being registered in a child role within the plan. Apple has paid him $300 in compensation.

He quit his job in April 2021 as he felt crippled and unable to do anything with the looming cyber threat. As a result, he has left Victoria and moved in with his mother.

He tried changing phones, email addresses, phone numbers, and credit card numbers. He has also spent $10,000 in professional IT help and to buy new devices. Among the purchases was an analog TV. The problem has persisted.

Edwards had also reported the incident to the NSW Police. Edwards received a Commonwealth Victims Certificate on November 24, 2021, to show to government agencies and for financial institutions to aid in resolving his situation.

To date, he had to cancel his credit card four times in two years. He now believes a dating app on his iPhone has infected the phone and has spread the malicious code to the rest of his devices.

Problems and inconsistencies with the account

There is no single strain of malware that does everything that is claimed in the report, and infection of three or more vectors seems incredibly unlikely unless the user is a victim of a continuous social engineering attack.

Email service servers are the final arbitrators on whether emails are successfully sent or not. As these servers handle all final traffic regarding message delivery, when the servers indicate a sent email, it is sent. Therefore, it should not be possible that an unsent email, in reality, would be reported as sent on the server.

App icons will temporarily gray out and become unusable during installations and updates, and they can be restored if the user decides to cancel an update. It's not clear why or how the app icons were behaving in such a fashion for the user. In theory, mobile device management can do this, but this is easily identified by Apple Store personnel.

Given how sandboxing works, a single factory reset will erase the malware off of an iOS device, again save for Enterprise certificates being misused, or software installed through Xcode.

Additionally, Pegasus is well known. It is a passive data collector and relayer and would not, and neither has the capability to, do what the user is describing.

Family Sharing does not permit another device to turn on Screen Mirroring or to record keystrokes from the device. While Pegasus will do that, Family Sharing will not enable that feature.

Finally, iOS apps, like the dating app described, are sandboxed. That means malicious code cannot leave the app in question unless the user was somehow incited to locally install an enterprise certificate or other mobile device management tool.

And claims about the malware spreading from iOS to macOS and back to iOS after a device reset are questionable. It's not clear how or why this could happen.