Recover a Hacked iPhone — Forensic Spyware Removal & Account Recovery
If your iPhone has been compromised, every minute matters. We perform full filesystem forensic acquisition, identify the implant, harden your Apple ID, and walk you through a verifiable clean-state restore.
Telltale Signs Your iPhone Has Been Hacked
iOS is hardened by sandboxing, code signing and the Secure Enclave, but it is not immune. Sophisticated implants such as NSO Group's Pegasus, Intellexa's Predator, and consumer-grade stalkerware (mSpy, FlexiSPY, Cocospy, Eyezy) routinely land on iPhones through zero-click iMessage chains, malicious configuration profiles, and shared Apple ID sessions. Recognising the symptoms early dramatically improves the chance of recovering both the device and the accounts behind it.
Battery life is one of the most reliable canaries. A healthy iPhone running iOS 17 or 18 should easily clear a working day on standby; an implant that beacons to its command-and-control server, records the microphone, or exfiltrates photos can halve that figure overnight. Combine that with a device that is unusually warm even when idle, and you have two strong indicators worth investigating.
Pay attention to data usage. Open Settings → Cellular and scroll to the per-app breakdown. Pegasus-class implants frequently masquerade as system services and will appear as 'System Services' or as a generic process consuming hundreds of megabytes per week with no user activity. Stalkerware, by contrast, often hides inside an over-permissioned 'Family Locator' or 'Parental Control' app installed via a sideloaded MDM profile.
Look for unexpected configuration profiles. Settings → General → VPN & Device Management is the single most overlooked surface on iOS. Any profile installed there can read network traffic, force a custom certificate authority, and silently route DNS through an attacker-controlled resolver. We routinely find profiles named 'Apple Inc.' or 'Wi-Fi Helper' on devices that owners swore they never configured.
Finally, audit your Apple ID. Go to appleid.apple.com → Devices and confirm that every listed Mac, iPad, Apple Watch and Apple TV is genuinely yours. An attacker who phished a 6-digit verification code can quietly add a new trusted device, then pull iCloud Backup, Keychain, Photos and Find My data without ever touching your phone again. This is the single most common way 'iPhone hacks' actually occur in 2024–2026.
- Battery drains 40–60% faster than baseline with no behavioural change
- Phone runs warm in your pocket while screen is off
- Cellular data spikes attributed to 'System Services' or unknown processes
- Unexpected configuration or MDM profiles in Settings
- Random reboots, especially after receiving an iMessage from an unknown sender
- Two-factor codes you never requested
- Unfamiliar devices listed in your Apple ID
- Safari redirects, pop-ups, or a suddenly-changed default search engine
Our iPhone Forensic Recovery Methodology
Recovery is not a single action — it is a chain of custody. The moment a client engages us, we ship a Faraday bag and a forensic write-blocker so the device can be transported without reaching its C2 server. From there, the workflow splits into three deliberately separate phases: triage, acquisition and remediation.
Triage runs through a dual-track process. While our public-facing methodology utilizes open-source frameworks like Mobile Verification Toolkit (MVT) for educational transparency, our internal operations leverage advanced proprietary forensic suites that provide deeper telemetry. These systems analyze shutdown.log, DataUsage.sqlite, and locationd caches against an exclusive library of zero-click indicators of compromise.
Acquisition deepens the picture. Where the hardware permits (A8 through A11, i.e. iPhone 6 through iPhone X), we boot into checkm8/checkra1n and perform a full filesystem dump. This unlocks SQLite WAL journals, deleted SMS records, KnowledgeC analytics, the Powerlog database, and the per-app sandboxes — everything an implant might have touched. For A12 and later, we lean on Elcomsoft iOS Forensic Toolkit's agent-based extraction or, when authorised, a logical+sysdiagnose hybrid pull.
Remediation is where most consumer guides fail. Simply 'restoring as new' will sometimes re-flash the implant from the very iCloud backup it lives in. We instead reset the Apple ID password from a clean device, revoke all trusted phones, rotate every app-specific password, force-sign-out every web session, and only then perform a DFU restore using a freshly downloaded IPSW whose checksum we verify against Apple's signing server. The result is a phone that is provably clean and an account that the attacker can no longer reach.
# Step 1 — encrypted backup for MVT $ idevicebackup2 backup --full ./case-001/ # Step 2 — IOC scan against the Amnesty stalkerware list $ mvt-ios check-backup --iocs pegasus.stix2 --iocs predator.stix2 ./case-001/ # Step 3 — filesystem dump on supported hardware $ checkra1n -c && ./mhf-ios-dump --device usb0 --out fs.img # Step 4 — verify the IPSW before restoring $ shasum -a 256 iPhone15,2_18.1_22B83_Restore.ipsw $ irecovery -f iPhone15,2_18.1_22B83_Restore.ipsw
Spyware Families We Routinely Identify on iOS
Not every infection is Pegasus, and treating consumer stalkerware like a nation-state implant wastes time and money. We classify what we find against a tiered taxonomy so the remediation matches the threat.
Tier 1 — nation-state. Pegasus, Predator, Reign, QuaDream KingsPawn. These are zero-click, deploy via iMessage or HomeKit pairing, and self-destruct on reboot. They leave forensic traces in shutdown.log, com.apple.WebKit.Networking, and certain BackupAgent2 entries. Detection requires MVT plus manual review of the locationd cache.
Tier 2 — commercial stalkerware. mSpy, FlexiSPY, Cocospy, Hoverwatch. Almost always installed by someone with physical access who knows your passcode (a spouse, parent, employer). They require a jailbreak on iOS or an iCloud credential dump. Removal is straightforward once detected; the harder problem is the human relationship behind it.
Tier 3 — phishing and account takeover. No malware on the device at all — the attacker simply has your Apple ID. Symptoms look identical to spyware (unknown logins, missing photos, read iMessages) but the fix is account-side: rotate credentials, enable hardware security keys, audit trusted phone numbers.
Hands-On Tutorial: First-Hour Triage You Can Run Yourself
If you are reading this in the middle of a suspected compromise and cannot wait for an analyst, run this checklist in order. It will not catch Pegasus — nothing user-runnable will — but it will catch 90% of consumer stalkerware and account takeovers, and it will preserve evidence for a professional handover.
Do not factory-reset yet. A reset destroys the very logs an analyst needs to confirm or deny compromise. Walk through every step below first; the reset comes last.
- Put the device in airplane mode and disable Wi-Fi separately
- Plug into a trusted Mac or PC and take an encrypted iTunes/Finder backup — set a backup password you'll remember
- Settings → General → VPN & Device Management → screenshot every profile, then remove anything you don't recognise
- Settings → General → Background App Refresh → disable globally for 24h to surface beaconing apps
- Settings → Privacy & Security → Analytics & Improvements → Analytics Data → look for repeating 'jetsam-*' or 'panic-full' entries on dates you weren't using the phone
- appleid.apple.com → revoke any Mac/iPad/Apple Watch you don't physically possess, then change the password from a different device
- Enable hardware security keys (FIDO2) on the Apple ID once the password is rotated
- Send the encrypted backup to a forensic team for MVT analysis before doing the DFU restore
# Run MVT yourself on macOS / Linux (Python 3.10+) $ pip install mvt $ mvt-ios decrypt-backup -p "YOUR-BACKUP-PASSWORD" -d ./decrypted ./Backup/ $ mvt-ios check-backup --output ./report --iocs https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2 ./decrypted # Review the report — anything in detected.json that is NOT 'benign' warrants escalation $ jq '.[] | select(.matched_indicator != null)' report/detected.json
After the Recovery: Hardening Against Re-Infection
A clean device is a perishable asset. Without behavioural changes, roughly one in five of our recovery clients re-infects within 90 days, almost always through the same vector that compromised them the first time. The hardening playbook below is what we deliver alongside every iPhone recovery report.
Enable Lockdown Mode on iOS 16 and later. It disables the message preview attachments, link previews, JIT JavaScript and shared albums that have historically been the entry point for zero-click chains. The trade-off in convenience is real but small, and for anyone who has already been targeted once, it is non-negotiable.
Move every account that supports it to passkeys or hardware FIDO2 keys (YubiKey 5C NFC, Google Titan). SMS-based 2FA is now the leading vector for Apple ID takeovers because SIM-swap attacks are cheap and effective. A hardware key cannot be phished and cannot be cloned by a stalker who knows your iCloud password.
Audit your iCloud sharing weekly for 30 days post-recovery. Pay particular attention to Shared Albums, Family Sharing, Find My friends, and Calendar subscriptions — these survive a DFU restore because they live on Apple's servers, not the device. We script this in the deliverable so you receive an email if anything new is added.
Frequently Asked Questions
Related Recovery Services
$ Open a secure channel. PGP preferred. Pre-engagement NDA available on request. Ready to proceed?
[ INITIATE SECURE CONTACT ]