Ongoing mobile hack on iPhone and now GOS

DanHacked

Hi everyone,
I recently moved to GOS in the hopes of resolving my issues with security but I have not. As far as i can tell my attacker has gained root access to my GOS device, they are able to change SMS management apps and hide my incoming SMS messages at will. They are able to disrupt my location services across profiles. I'm not skilled at reading log files but there has been a tonne of activity since I started having issues. Can someone have a look at my logs and give me some advice?

raccoondad

DanHacked what makes you believe you are hacked? If its just what you listed, you probably aren't....

teezeh

DanHacked As far as i can tell my attacker has gained root access to my GOS device

I highly doubt this allegation. Same for iOS, btw.

Where did you get your GOS device, when and how did you install GOS, do you have multiple profiles or just Owner?

DanHacked

Link to log file

https://drive.google.com/file/d/17AF1PtG2LEABPsBwGYCriY8TV6xW-ldu/view?usp=drivesdk

usingregularly

raccoondad they have control of what apps I can access and use, turning off data when I'm using dating apps, notifications are not working for some apps and just seem to be generally messing with me. Sorry I can't pinpoint evidence to prove it's a hack but I changed to gos to eliminate this which it did until yesterday now I'm back with the same issues

raccoondad

usingregularly Sorry I can't pinpoint evidence to prove it's a hack

I heavily doubt you are dealing with 'a hack', these symptoms wouldn't point to that at all. What do you mean by "they have control of what apps I can access and use"

usingregularly

raccoondad I can intermittently open certain apps and realise that could be a gos issue but I had the same issues with the same apps on iOS.

angela

Although it's difficult to do this, it might help to have another device record the screen while you use it to try to capture some of these unusual occurrences.

I don't disbelieve you, there are many advanced hackers out there, some of them likely know 0 day exploits.

Do you also understand Auditor and how to use it?

usingregularly

angela I do not but I will check it out, thank you Angela

Lusca

If you are able to I would recommend:

Take out your SIM
Reset/Flash the device using the Web Installer
Enter Airplane mode as soon as you can and perform Auditor remote attestation (or local if you have another device.
Enable security features such as Charging-only on the USB-C Port (Exploit Protection)
Install apps as normal.

You may want to get an eSIM online or get a new SIM card anonymously (or not if you can't).

usingregularly

This is the response I get from auditor, everything looks ok to a novice like me but I'm having the same issues I had on my old iPhone...

Successfully performed basic initial verification and pairing.

Hardware verified information:

Pairing identity (hash of pinned hardware-backed key): B579-AB5B-02E5-2841-1D49-178C-F45C-DF48-9699-3B33-E294-E36C-3628-A139-A329-79C7
Pinned security level: High — StrongBox Hardware Security Module (HSM) with pairing specific attest key
Pinned device: Google Pixel 9 Pro Fold
Pinned OS: GrapheneOS (unmodified official release)
Pinned OS version: 15.0.0
Pinned OS patch level: 2025-05
Pinned vendor patch level: 2025-05-05
Pinned boot patch level: 2025-05-05
Pinned verified boot key hash: AF4D2C6E62BE0FEC54F0271B9776FF061DD8392D9F51CF6AB1551D346679E24C
Verified boot hash: 189415E630D9A03D7F30861231D3C2D957B28B61FA281555F7444A5DA7C77246

Information provided by the verified OS:

Pinned Auditor app version: 89
Pinned Auditor app variant: Release build signed by GrapheneOS
User profile secure: yes
Enrolled biometrics: yes
Accessibility service(s) enabled: no
Device administrator(s) enabled: no
Android Debug Bridge enabled: no
Add users from lock screen: no
OEM unlocking allowed: no
Main user account: yes
USB-C port security mode: Charging-only when locked
Auto reboot timeout: 12 hours

usingregularly

teezeh I bought it brand new and am running multiple profiles but mainly use one, after running auditor it looks like they don't have root access so they must be getting in another way

JoeBlogs

It's easy to come to a conclusion of being hacked and I hear 'I've been hacked' all to often. Nine times out of ten there is some other logical reason. It's rare for a true hacker to give themselves away by seeing unusual activity. A skilled hacker would never reveal themselves by enabling and disabling anything visible and would cover their tracks and leave no trace. They are like a ghost and not like we see in many movies.

It's more likely a hacker would gain entry and quietly lurk around gathering as much intel as possible that can lead to further penetration, and access to other areas like social media accounts, usernames, passwords or any other personal info to build on a larger profile on you, possibly installing some spyware (PUP) or even remotely sending data back to them riding off the back of some other network process you activate, so not seen, and gather even more intel over time and then quietly leave with no trace of them ever being there and the user none of the wiser. These things lurk in the shadows unseen unless you specifically go hunting for them, for example running AV or anti malware and even then the only things found will be whatever is in the definitions list or within a particular unusual pattern.

The biggest threat we have these days is not actually an attack from outside but from within and the software we install. This can be perfectly legit software but unscrupulous developers can and are paid a sum of money to install an unknown library within the software or even a third party library developer could be paid to add something to their library that others then use. This is a route that many advertisers and miners are taking these days too and personally I consider advertisements to be malicious. There may even be an issue on your network providers side of things as we are dealing with SMS here.

Get the idea of being hacked out of your head and start looking for more logical explanations unless you really are a high value target in which case you have bigger issues to deal with.

JoeBlogs

And as for logs why would a hacker leave any logs when they can write a dev null to eliminate a standard error or any writing to logs.

usingregularly

JoeBlogs thanks Joe, my logs only start from the 15/5/2025 so I think you are spot on that they have been wiped. Security is not my forte so I guess I just have to resign to be being played with, I haven't lost any funds or hit with any ransom. I just hoped Graphene would offer me a higher level of protection, I am running 2fa yubikeys on all my social media accounts but it's changed nothing. I can't stop it.

Lusca

usingregularly

Are you able to get an eSIM, perhaps from Airalo, and take out your old SIM? It sounds like your provider is the issue, or someone malicious at your provider. A third party SIM should help you narrow down the problem.

ignatius

JollyRancher source for the GOS exploit bounties? I've only seen the ones for iOS and android.

akc3n

ignatius JollyRancher source for the GOS exploit bounties? I've only seen the ones for iOS and android.

↑ Yeah, this!
Could you please cite the referenced particular in your comment ↓ @JollyRancher:

JollyRancher Zero day exploits for GOS have 8+ digit price tags on the market.

Feel free to DM me (info in my forum bio) if you don't wish to share it publicly in this thread!

JollyRancher

akc3n
I reached out via SimpleX.

For something more public facing,
https://techcrunch.com/2025/03/21/russian-zero-day-seller-is-offering-up-to-4-million-for-telegram-exploits/

Any serious zero day Android exploit is going to start in the low end millions.

A zero click RCE attack chain that can effect GOS? The US government would cut you a ten plus million dollar check in a heart beat. Israel, France, Russia, and China would all cut similar checks without blinking.

This is a nation state market with nation state budgets and national security reasons to want/need exploits.

natoal

JollyRancher

Makes one feel as though technology can't be trusted

By the way, is it possible to image a seized phone in BFU? Since it won't be updated would there be an exploit within a year or two that allows officials to extract data

akc3n

JollyRancher I reached out via SimpleX.

I have not received any request for DM on SimpleX, did you use the address shared on my github? May try again please, or preferably via Matrix if you can.

Will address everything else commented here as time permits.

JollyRancher

natoal
Trust is always relative.

As for your question, it always comes down to threat profile, how well resourced your enemies are, and how much those enemies are willing to invest in attacking you specifically.

Say the CIA or NSA wants to target you. They may well break into your home and plant cameras such that they can see you type in your password. Then, once they have that, grab you off the street and take your phone.

For the vast, vast, vast majority of threat actors just disabling the USB-C ports data capabilities will stop them cold.

An entity like the NSA probably could image a locked down BFU GOS phone. How? No real idea. Would I be willing to bet against it? Nope.

The police or any more realistic hostile parties? Doubtful, they are more likely to just toss the hardware in a vault and forget about it until they get a viable attack.

Don't commit crimes. And if you are going to do things that a government getting access to years down the road is a serious concern then you probably should be factory resetting your device on a very regular basis.

https://m.youtube.com/watch?v=pBdGOrcUEg8

grayway2

natoal it's not possible if the nand is tied to a security chip (Titan M2 for pixels 6 or later) because the encryption keys used to decrypt the storage and make it understandable are stored in the security chip.

If no security chip then the cops just need to find a vulnerability that will permit them to create a bin file/Raw image of the internal ssd of the phone then it can be later brute force.