This seems interesting. Is it possible? Definitely possible as long as there are mercenaries performing offensive security work and governments financing those activities. Feasible? It depends on whether you are working on something that might impact or benefit a powerful adversary. In 99 out of 100 cases, it would be a nation-state threat actor performing such an attack. It might not be their tools or personnel, but it will definitely be for their own motivations.
The way it works is that your phone sets up a small private network and acts as the gateway for his connections. This means you technically have more opportunities to perform an adversary-in-the-middle attack where you could manipulate his connections. However, you also open up your phone and some services to his device. While it’s possible, he would need some sort of delivery method on his device as well. So, if something like this occurred, you would be dealing with a very skilled adversary.
As Sergey says, zero days are very expensive and, unfortunately, rare for the public. There is definitely a lot of business going around selling these exploits, so you should be really objective about your identity, your activities and whether there is some benefit to bringing out the big guns and bucks to compromise you.
But you should also define what you constitute as strange behavior (how are the applications not loading? Do they appear blank, shut down, make your phone freeze?, because you are mentioning it on your phone and your watch. Funnily enough, I met a well-known forensic expert a while ago who mentioned to me that they (law enforcement) already have methods to extract data from Apple Watches with just access to the iPhone for forensic investigations. I have not done a deep dive into this, but if you are able to perform forensics this way, then it is safe to say that ‘hopping’ devices is also possible.
Normally, I would say do not touch your device and see a forensic expert who specializes in mobile devices ASAP, but that might not be easy to find in your case, nor would you perhaps be willing to pay a hefty amount for a deep dive that might not have been needed.
So I can also recommend you do the following:
• Disconnect any shared networks (WiFi/Ethernet) where the devices could potentially connect to other devices.
• Persistence is key in most attacks and actually way harder to pull off on iOS, as mentioned you have already rebooted your device. You could potentially wiped some valuable evidence because of this, for instance, information about how the attack occurred could be stored here. But if the attacker already has established persistence, this won’t matter as the malicious code will probably appear in memory again.
• Attackers have used the Shortcuts app on iOS in the past; this could be used to configure certain triggers to run a malicious executable again to help an attacker connect to your device. If you use the app, try to see whether unknown automations have appeared in the Shortcuts app.
• Also, I think you mentioned somewhere that you were in IT. What you could potentially do is set up your own DNS server and configure it as the DNS server for the iPhone. This way, you can also see what connections your devices make and identify any anomalies in the connections, assuming they connect to a C2 (Command & Control) server via HTTP/DNS.
The good news is, you do not have Android, where it is much easier to trick you into giving more privileges to attackers.