Someone else Jailbroke my phone and installed Spyware - need a little help please

[kc555]

Casually scrolling through a Low Memory Crash Report, I noted "MSpy" listed as one of the active processes. Alarmed, I did some digging and determined that this was, indeed, spyware that could only have been put onto a jailbroken phone. I uploaded Lookout and it revealed that my phone was, as I suspected, jailbroken. I did not do this.

There are only two possible suspects here: a repair shop I took my phone to the second week of April for glass screen replacement, where I literally waited 10 minutes and they were done and I was on my way, or my husband. I almost always have my phone on me but clearly I cannot watch it 24-7, so it's certainly possible for him to access my phone without my knowing (like when I am sleeping).

Low Memory Crashes in March do not list MSpy at all, whereas every single Low Memory Crash Report after April 26 lists MSpy as a process, if not THE largest process at the time of the crash. It makes me suspect that April 26 was somewhere around the time that the spyware was installed, but I am not certain.

When I think back and start remembering all of the odd things my phone has done lately, it makes sense. However, some of those odd things happened before the April 26 date, so that's another reason I am having a hard time figuring out when this might have been done.

I was able to code the Cydia app back into view on my phone, but I can't log into it. Obviously I don't know how to log into the MSpy account that my phone is linked to.

Can anyone help me determine when my phone was jailbroken? I have two different backup files that I can dig through - one from this week, which I can definitely see spyware indications inside of (like the word "Cydia", "MSpy", "Iphoneinternalservice", for example), and another dated March 10th, where I have not been able to find any hints at spyware (none of the above words can be found inside the files) - although admittedly I know very little about this stuff and hardly know what to even look for. It's possible I could have missed something in the March backupfiles.

Or, can anyone help me figure out when MSpy was put onto my phone? Or Cydia?

It makes a huge difference knowing whether or not it was my husband vs a stranger. I don't want to point fingers and accuse without some solid footing...not only because I don't want to make false accusations, but also because if I'm not certain of what I'm suspicious of and my husband denies involvement, well, where does that leave me?

Thank you very much to anyone who has any insight to share on this....

 

[willerz2]

You can't pinpoint the exact date of the jailbreak. You can attempt to find out when MSpy was installed by looking it up in your devices root directory for the established date of that specific path but that's it. If it is indeed spyware, simply restore your device and its gone

 

[kc555]

Thanks for the response. I know I can ditch the spyware, but my main concern is WHO put it there. Which is why I'm trying to figure out if there's any way of knowing when this happened.

Can you tell me exactly how to access the root directory, view it, and locate a possible path? This is where I am clueless. I don't even know how to read the backup files correctly so I end up just loading them all in TextPad and sorting through the gibberish for something recognizable. I'm sure there's a better way, I just don't know what that is. Thank you.

 

[willerz2]

You can use iFunBox to do so on your computer. Plug your device in, run iFunBox, open up the device's directory and go through the Raw System File.

 

[kc555]

Thanks again. I did as you suggested.

What I am seeing is that it appears Evasi0n, Cydia, BigBoss, MSpy, & Modmyiphone do not appear prior to April 26 under those names/headings, but there are other items that do appear before April 26 that seem related, but might not be:

"Racoon" in the Private File has a subfile called "Remote" that has a line inside that reads "sainfoanonymous" and the Racoon file is dated December, 2012. Still inside of that Racoon file there is a document called "Psk.txt" which has lines that read "a secret key goes here", along with #user_FQDN and #macuser@localhost "something secret". While this looks suspicious, I don't know if it actually is or not.

Also, even though all of the main Files associated with the jailbreak and spyware are dated April 26 some lead into sub-categories that have earlier dates. For example, in the Systems Applications file there is a MSpy folder heading that literally renames itself "Update Service" right in front of my eyes, and it is dated April 26. Inside of this MSpy/Update Service Folder, there is a sub-folder called Code Signature, and this is dated April 26 as well. Opening this sub-folder, there is a document inside that reads "Code Resources" but this has an earlier date of April 5. There are also documents like "Embedded Mobile Provision", Legal Notice html, MSpy File Document, PkgInfo, Resource Rules plist, SPY Legal Notice Controller.nib, SPY Sign Up Controller.nib and SPY Wellcome Controller.nib and all are dated 4/5.

Why would that have a date listed earlier than what I suspect to be the install date on Mspy? Does this mean that my suspect install date of April 26 is wrong? There are other folders that have info that reads the same way - where the app seems to have been installed on April 26 but some contents inside have earlier dates on them. Since I cannot read all of the files because I lack the correct programs with which to read them and there is so much information inside of my phone, figuring this out is slightly tricky. After a while I start feeling overwhelmed.

I first suspected April 26 because Low Memory Crash reports on my actual phone do not show MSpy as a process until that date, and while there are 13 Low Memory Crash reports in the month prior, since the 26th of April there have been almost 800 LMC Reports, and all of these since have MSpy listed as a process, if not THE largest process running at the time of the crash. It's like suddenly my phone began having a low memory boom and has continued to do so ever since April 26. This would make sense if the install date was the 26th, since MSpy would have started running non-stop on my phone.

Pinpointing the date of the installation would be very useful because it determines how I proceed with this. If it ends up looking like a repair shop hack then I'm certainly going to want to bring it to the management's attention. If it's my husband then that's an entirely different set of problems. =(