Persistent Remote Access or Network Manipulation? Technical Findings and Questions

Over the past few months, I’ve been experiencing persistent, abnormal behavior on my iPhone. Here's a short timeline:

• March 2025: Most apps log me out every time I close them.
• April 2025: Stored passwords suddenly begin failing across apps and websites.
• May–June 2025: Password recovery emails from Gmail accounts no longer arrive — suggesting that Gmail itself may be compromised or blocked/intercepted.

Given the escalation, I ran several diagnostics and extracted system-level logs. Below is a structured summary of findings that point toward potential remote access, network traffic rerouting, and possibly hidden use of Bluetooth or debugging interfaces.

Device Information

• Model: iPhone17,1 (A17 chip)
• iOS Version: 18.5 (Build 22F76)
• Status: Stock, not jailbroken or running a developer build
• Region: Netherlands
• Carrier: KPN NL
• Language/Locale: Dutch (nl-NL)

1. Evidence of Remote Services and XPC Connectivity

Source: remotectl_dumpstate.txt

• More than 50 remote lockdown and diagnostic services are listed as active.
• Notable entries:
  • com.apple.mobile.lockdown.remote.trusted and .untrusted
  • com.apple.mobile.file_relay.shim.remote
  • com.apple.webinspector.shim.remote
  • com.apple.pcapd.shim.remote
  • com.apple.bluetooth.BTPacketLogger.shim.remote
  • com.apple.mobile.insecure_notification_proxy.remote
• This volume of .shim.remote and diagnostic services appears highly irregular for a non-debug, non-jailbroken device.

2. Skywalk Network Flows and Unusual Routing

Source: skywalk.txt

• Dozens of flowswitch entries across interfaces like:
  • ipsec0-7, pdp_ip0-2, en0-2, awdl0
• Apps such as Gmail, ChatGPT, Preferences, and com.apple.WebKit are marked as defunct, yet persist in flow tables.
• Two specific daemons — replicatord and siriactionsd — appear on nearly every interface, in both QUIC and TCP6 traffic.
• skywalkctl flow-route shows multiple external IP paths, with flows routed through ipsec7, owned by kernel_task.0 — indicate tunnelling?

3. System Anomalies and Resource Behavior

Inaccessible System Network Tools

Source: get-network-info.txt

• All scutil calls fail (/usr/sbin/scutil does not exist).
• This blocks access to:
  • DNS configuration (scutil --dns)
  • Proxy and VPN status (scutil --proxy, --nc list)
  • Reachability checks (scutil -r www.apple.com)

The absence of scutil is not expected right?

Unusual Resource Usage

Source: assetsd.diskwrites_resource-2025-06-25.json

• assetsd, working on behalf of cloudphotod, wrote over 1 GB of memory-backed files in under 1.5 hours.

4. Metadata Confirmation

Source: Analytics-2025-06-27-020008.json

• Confirms:
  • iPhone capacity: 256 GB
  • DRAM: 7.5 GB
  • Carrier: KPN NL
  • Apps marked as highly active ("Games", "Creativity") in analytics also appear as defunct in skywalk, suggesting ghost background processes.

Key Questions for the Developer Community

1. Are >50 remote .shim.remote services typical on iOS 18.5 (release build)? Or does this suggest tampering, an MDM configuration, or debug provisioning?

2. Could a misconfigured VPN or MDM profile enable persistent flow-switching across multiple interfaces (e.g., ipsec, pdp, awdl) and reroute app traffic such as Gmail?

3. Is it possible for a test or developer certificate to silently side-load a background daemon, or trigger services like pcapd or file_relay, without showing in Profiles or Settings?

4. Has anyone else seen the scutil binary missing or inaccessible on a stock iPhone? Could this be a sign of intentional lockdown or system modification?

5. If anyone on iOS 18.5 / iPhone17,1 can share their remotectl_dumpstate output, I'd like to compare the service count and see if this behavior is reproducible.

I’d appreciate any insight from those familiar with Apple’s system daemons, skywalk internals, or network service behavior. Happy to share sanitized logs or run additional diagnostics if needed.

Thanks in advance.