The malware, called iBotnet.A, attempts to steal online banking credentials and is capable of spreading across a network and hijacking the iPhone and iPod Touch for use in a botnet, according to Mac security vendor Intego, which issued a security memo on Monday.
Like a separate iPhone worm identified in early November, users can only be infected with the new malware if they jailbreak their iPhone -- meaning they unlock the device to allow for the installation of unauthorized software -- and have SSH installed but have not changed the default password.“Now we are seeing something that is truly malicious,” Peter James, an Intego spokesman, told SCMagazineUS.com on Monday.
The malware can change each infected device's root password and then give it a unique identifier so attackers can reconnect to the phone, according to Intego. The device connects to a web-based command-and-control server in Lithuania, where it can download new instructions and send data stolen from the infected iPhone back to hackers.In addition, if a victim attempts to visit the Dutch site for the online banking service ING, the malware redirects the user to a fake login screen that is used to harvest usernames and passwords, James said.
The worm propagates by searching its local network for other devices to infect, he said. In addition, it scans about a dozen IP address ranges of internet service providers in the Netherlands, Portugal, Hungary and Australia for other jailbroken iPhones using those IP addresses, to which it can copy itself.
The worm is not currently widespread and, for the most part, the infections have been limited to the Netherlands, Mikko Hyppönen, chief research officer at anti-virus vendor F-Secure, told SCMagazineUS.com on Monday.
Researchers said it is unlikely that there are any infections in the United States at this time, but the worm could potentially spread to other regions of the world if the botmasters update the malware, or if an individual with an infected device were to travel to another country.
An Apple spokesperson did not respond to a request for comment on Monday.