Malware for iOS

This is an early, incomplete draft list of known malware (including spyware, adware, trojans, viruses, and similar tools) targeting iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool.

''Please help expand this article with more examples and details! To edit it, you can request an account on TheiPhoneWiki if you don't have one.''

= Tools found in the wild =

iKee and Duh (November 2009)
The Ikee-virus is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.

Two weeks later, the similar Duh worm spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."

"Find and Call" (July 2012)
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: Kaspersky SecureList, Ars Technica, Sophos NakedSecurity.

Unflod (April 2014)
Unflod is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014.

Hacking Team tools (June 2014)
Hacking Team is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.

AppBuyer (September 2014)
AppBuyer, as discussed in this article by Palo Alto Networks, is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.

WireLurker and Masque Attack (November 2014)
As discussed at Misuse of enterprise and developer certificates: according to Palo Alto Networks, WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."

Masque Attacks are a related technique, also discussed by Palo Alto Networks: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."

KeyRaider (August 2015)
KeyRaider, as discussed in this article by Palo Alto Networks, is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device."

= Tools developed as part of research =

Instastock (November 2011)
Charlie Miller, a security researcher, submitted an app to the App Store called Instastock to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.