This application requires Javascript for optimal performance.

iPhoneOS/Toires.A!tr.spy - Released Dec 15, 2009 - Last Updated Dec 16, 2009

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

An application named SpyPhone is installed on the phone. The main screen of the application is shown in Figure 1.



Figure 1. Splash screen of the Proof of Concept malware

Detailed Analysis

This malware has the ability to affect all iPhones (jailbroken or not).
It is a Proof of Concept, which shows it is possible to retrieve personal data on an iPhone using standard APIs in the iPhone's SDK.



Technical Details


The malware is able to retrieve:
  • information regarding email accounts configured on the iPhone (username, pop host, smtp...)
  • wifi or GPS location
  • phone's phone number, last contact called, last number dialed, IMSI...
  • recent searches in Safari browser
  • recent video search in You Tube
  • photos on the device, including photo's location
  • iPhone's address book
  • iPhone's keyboard cache

As it is a Proof of Concept, the malware only displays the information, but does not send nor use it.
If this malware were to be signed and uploaded on the AppStore, it would potentially affect any iPhone user (no need to jailbreak the iPhone). However, so far, the malware has not been released in the wild and is unlikely to end up on the AppStore.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 1177482