What should I do if my iPhone shows unusual activity?

Question

What should I do if my iPhone shows unusual activity?

Hi,

Background:

Odd iphone behaviors/activity I did not prompt. No one has physical contact with my phone. In System Services, I found "Corporate Accounts" that consumes cellular data daily, yet no profile exists under VPN and Device Management. I will add that I have had a stalker since 2019 with resources most of cannot imagine.

Problem:

I recently opened my Shortcuts app for the first time and found existing shortcuts. One was quite specific and (if I am interpreting it correctly) it captures a copy of my screenshots and sends it somewhere but ONLY when I am on a specific governmental website where I gather evidence against the stalker. The governmental website's URL was visible to me. I also saw a Wake on LAN and I have learned what it is and does. With a growing understanding of my iphone data, an app called Network Utilities, & my frequent observation noting any darn thing I possibly can, I believe my iphone was hijacked first through an unauthorized MDM which I think allowed those Shortcuts to be made on my device.

Clues:

Per App, my battery percentage number no longer logically matches battery use stated. See pics.
Where previous observation of charted charge times always showed a green horizontal bar with lightning bolt - now bolt is sometimes missing. Yet chart seems to indicate charging. Specific app activity at these times is not 100% from my activity.
I hesitate to add this bc I need snark the least right now, but it might be critical...my darn phone INCREASES in battery charge while OFF and in a Faraday bag. During this event my device shows various battery consumption per app NOT done by me.

Question:

What do I do? Cops already bored with stalker complaints. I think the fancy equipment used to hack is next door about a fifth of a mile from me. How do I convince anyone this is real?

Mystery Wake on LAN Shortcuts, continued

[Re-Titled by Moderator]

iPhone SE, iOS 18

Posted on Apr 2, 2025 1:25 PM

Reply

Answer 1

Mac Jim ID

Level 9

60,644 points

Apr 2, 2025 2:17 PM in response to Mac Jim ID

If the Corporate Accounts you are seeing if from System Services, then review this recent post as others see the same thing as part of iOS.

Corporate Accounts Using Data In System S… - Apple Community

When in doubt, do a Factory Reset and do not restore from your iCloud backup as that will just put your device in the exact same state before it was reset.

Reply

Answer 2

Mac Jim ID

Level 9

60,644 points

Apr 2, 2025 2:04 PM in response to DidntKnowINeededaCommunity7

Just a couple of points:

Don't see anything suspicious with your app usage and reporting of Screen Time. There is not a direct correlation between minutes of use and Battery Percentage. Take for example an app playing videos is going to take up a far higher percentage then simply viewing the Notes screen for a far longer time.
Where the bolt is missing on charging is because the charging period is off screen and there is not enough room to display the charging indicator like you see in the middle of the screen.
Don't know what the Network Utils app is supposed to do for you.
For details on the Shortcut you observed, you would need to provide screenshots of those. Apps can include Shorcuts and they will be added automatically. When deleting the app, the Shortcut is removed. WoL may have been installed by your Network Utils app or another one that is on your device.
Don't know where you are seeing Corporate Accounts using cellular data. A screenshot of that would be helpful.
In the case of an Apple Account being compromised, I would normally recommend changing that password, but I don't see anything there where that would be the case. That may be something you want to do anyway.
Also review if there are any other devices logged into your account by going to Settings > [name on top], and scroll to the bottom to see the device list.

Reply

Answer 3

Apr 3, 2025 1:39 PM in response to Mac Jim ID

Mac Jim, I appreciate you taking time to share your thoughts on potential unauthorized MDM on my device. I NEED folks like you to hold the hand of this kindergartener:)

I will share my thoughts now...I am more confused than ever. It was here, within this community, that I found a member with similar symptoms in their phone and the reply received included confirmation of an unauthorized MDM. I get such different answers every time I call Apple support, too. In fact, in a recent call to Apple I said it is possible to install an MDM without physical contact and NO profile seen (only a serial number is needed per Google Workplace admin info page), the supervisor very politely (actually I felt badly for him because he was clearly trying so hard to be sensitive and let me down gently:) stated he had never heard of such a thing and Apple would have informed his department. Not true. In my ongoing research, I found a clear description of the issue and this description is confirmed by Apple. Description is available in...is it called Gethub? And as I recall it was in an update offered with security repairs ("patches"?) and the number began with "17". Entitled "Shortcuts".

What puzzles me now regarding what I found is (a) the supervisor had no idea this event happened. Not his fault, I assign responsibility to big decision makers within Apple who failed to ensure awareness, and (b) the update with repairs was issued to mac devices only. I looked and saw no iOS ones. So, I am still losing data and now device content. Another Shortcut was located today along with activity mentioning "Trusted Contacts" associated with my Google account. Research showed a "Trusted Contact" is the person who Google will contact if no activity occurs for a specified amount of time (death). I found the trusted contact activity in the section where app and web time can be limited (cant recall what its called:). Here I also found items suggesting a developer type of access - not regular Joes like me. Things with "Webkit" and "Auth" or maybe it was "OAuth" were present during one hour slots where I was not using my device. So right now, I feel I am uncertain still but leaning toward the idea of an invader in need of a firm spanking. Contacting Apple again soon, then FCC, and wishing I had the phone number of a parent of the misbehaving invader.

One other supervisor shared good realistic advice. He said "vintage flip phones do not have bluetooth" - I still have my old flip phone:)

Again, I appreciate your reply.

Reply

Answer 4

Apr 3, 2025 1:58 PM in response to DidntKnowINeededaCommunity7

I am sorry about the bug, I highly recommend Malwarebytes a security app that works on your phone. And if you have no need for any apps that are being used to scam you I would delete them just hold down on the app and press delete app. If you can track the scammer then send the tracker to the police, that should be enough evidence, with what’s on your phone to have them investigate.(and with the promise to stop calling them!)

Reply

Answer 5

Apr 5, 2025 2:03 AM in response to Gandolf243

Gandolf243, thank you for sharing your thoughts, I appreciate your suggestions and have a question regarding this. You mention "tracking" the responsible party. I am wondering if you can elaborate more? How can I do this? Do you have experience in tracking in a similar situation? If so, how do I start? Thank you.

Reply

Answer 6

Jeff Donald

Level 8

44,766 points

Apr 5, 2025 5:24 AM in response to DidntKnowINeededaCommunity7

You can’t legally track people. After all, that’s what you’re accusing others of doing.

If you believe your iPhone is compromised contact your local law enforcement and the FBI. Apple reviews requests for assistance from local law enforcement.

https://www.apple.com/legal/privacy/law-enforcement-guidelines-us.pdf

https://www.apple.com/legal/privacy/gle-inforequest.pdf

Reply

Answer 7

Apr 9, 2025 3:59 AM in response to Jeff Donald

Jeff,

Thank you for the links to extra information, I appreciate both.

I am keenly aware of what my question suggests. I wish I had only positive questions, or at least, none that highlighted the darker side of humanity. While doing my best to tread lightly wherever the rights of others overlap with mine, and with appreciation for "...until proven guilty", I have only myself to figure this mess out (and y'all:). Tempering emotional responses to an all-out invasion and take over of devices is challenging for anyone. If I err in any manner, I respond best to the same sort of kindness I receive in this forum. It still takes a village! That said, reference to suspected source location is relevant considering specific technology required for some nefarious maneuvers.

**Gotta Say...between this forum and the developers site, I learn more almost hourly. I appreciate Y'all!!

Reply

Answer 8

Apr 9, 2025 10:45 AM in response to Mac Jim ID

((FOUND IT))

Hi Mac Jim ID,

I wanted to share what I have found regarding the presence of Corporate Accounts in System Settings. I may try to add these screenshots again solely for info and enlightenment because so many of us are experiencing this - all while NO profile is shown in VPN & Device Management. In addition to the blank black area where an MDM profile should be visible, I also have more screenshots from various apps and features within settings that show similar behavior. By this I mean the printed words suggest SOMETHING is below them, yet all I see is black and blank. I have been wondering if the absence of an MDM is through a type of redaction process? Should someone bring this to the attention of Apple? (seeking a volunteer, I don't speak techy effectively:)

The two pics from my phone are while on a cellular connection. I pay monthly for only one cellular provider: StraightTalk (no Wifi except the stalker/hacker free WiFi) I will post additional nuggets in reply to relevant comments.

The third screenshot is found at support.apple.com.

Reply