Ongoing Suspicious Remote and Network Access Behavior — Seeking Technical Insight

O v er the past few months, I’ve been experiencing persistent, abnormal behavior on my iPhone. Here's a short timeline:

• March 2025: Most apps log me out every time I close them.
• April 2025: Stored passwords suddenly begin failing across apps and websites.
• May–June 2025: Password recovery emails from Gmail accounts no longer arrive — suggesting that Gmail itself may be compromised or blocked/intercepted.

Given the escalation, I ran several diagnostics and extracted system-level logs. Below is a structured summary of findings that point toward potential remote access, network traffic rerouting, and possibly hidden use of Bluetooth or debugging interfaces.

##1

Source: remotectl_dumpstate.txt

• More than 50 remote lockdown and diagnostic services are listed as active.
• Notable entries:
  • com.apple.mobile.lockdown.remote.trusted and .untrusted
  • com.apple.mobile.file_relay.shim.remote
  • com.apple.webinspector.shim.remote
  • com.apple.pcapd.shim.remote
  • com.apple.bluetooth.BTPacketLogger.shim.remote
  • com.apple.mobile.insecure_notification_proxy.remote
• This volume of .shim.remote and diagnostic services appears highly irregular for a non-debug, non-jailbroken device.

2. Skywalk Network Flows and Unusual Routing

Source: skywalk.txt

• Dozens of flowswitch entries across interfaces like:
  • ipsec0-7, pdp_ip0-2, en0-2, awdl0
• Apps such as Gmail, ChatGPT, Preferences, and com.apple.WebKit are marked as defunct, yet persist in flow tables.
• Two specific daemons — replicatord and siriactionsd — appear on nearly every interface, in both QUIC and TCP6 traffic.
• skywalkctl flow-route shows multiple external IP paths, with flows routed through ipsec7, owned by kernel_task.0 — which could indicate system-level tunneling.

3. System Anomalies and Resource Behavior

Inaccessible System Network Tools Source: get-network-info.txt

• All scutil calls fail (/usr/sbin/scutil does not exist).
• This blocks access to:
  • DNS configuration (scutil --dns)
  • Proxy and VPN status (scutil --proxy, --nc list)
  • Reachability checks (scutil -r www.apple.com)

Key Questions for the Developer Community

1. Are >50 remote .shim.remote services typical on iOS 18.5 (release build)? Or does this suggest tampering, an MDM configuration, or debug provisioning?

2. Could a misconfigured VPN or MDM profile enable persistent flow-switching across multiple interfaces (e.g., ipsec, pdp, awdl) and reroute app traffic such as Gmail?

3. Is it possible for a test or developer certificate to silently side-load a background daemon, or trigger services like pcapd or file_relay, without showing in Profiles or Settings?

4. Has anyone else seen the scutil binary missing or inaccessible on a stock iPhone? Could this be a sign of intentional lockdown or system modification?

5. If anyone on iOS 18.5 / iPhone17,1 can share their remotectl_dumpstate output, I'd like to compare the service count and see if this behavior is reproducible.

I’d appreciate any insight from those familiar with Apple’s system daemons, skywalk internals, or network service behavior. Happy to share sanitized logs or run additional diagnostics if needed.

Thanks in advance.