Difference between revisions of "Malware for iOS"

From The iPhone Wiki
Jump to: navigation, search
(adding more)
(adding more)
Line 1: Line 1:
This is an '''incomplete draft''' list of known malware (including spyware, adware, trojans, viruses, and similar tools) targeting iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool.
+
This is an '''incomplete draft''' list of known malware (including spyware, adware, trojans, viruses, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool.
   
 
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].
 
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].
Line 5: Line 5:
 
''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.''
 
''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.''
   
= Tools found in the wild =
+
== Tools found in the wild ==
   
== iKee and Duh (November 2009) ==
+
=== iKee and Duh (November 2009) ===
   
 
The [[Ikee-virus]] is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.
 
The [[Ikee-virus]] is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.
Line 13: Line 13:
 
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."
 
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."
   
== "Find and Call" (July 2012) ==
+
=== "Find and Call" (July 2012) ===
   
 
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity].
 
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity].
   
== AdThief/Spad (March and August 2014) ==
+
=== FinSpy Mobile (August 2012) ===
  +
  +
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].
  +
  +
=== AdThief/Spad (March and August 2014) ===
   
 
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.
 
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.
   
== Unflod (April 2014) ==
+
=== Unflod (April 2014) ===
   
 
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014.
 
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014.
   
== Hacking Team tools (June 2014 and July 2015) ==
+
=== Hacking Team tools (June 2014 and July 2015) ===
   
 
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.
 
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.
   
== AppBuyer (September 2014) ==
+
=== AppBuyer (September 2014) ===
   
 
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.
 
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.
   
== WireLurker and Masque Attack (November 2014) ==
+
=== WireLurker and Masque Attack (November 2014) ===
   
 
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."
 
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."
Line 39: Line 43:
 
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."
 
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."
   
== Xsser mRAT (December 2014) ==
+
=== Xsser mRAT (December 2014) ===
   
 
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."
 
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."
   
== XAgent (February 2015) ==
+
=== XAgent (February 2015) ===
   
 
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].
 
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].
   
== Lock Saver Free (July 2015) ==
+
=== Lock Saver Free (July 2015) ===
   
 
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].
 
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].
   
== KeyRaider (August 2015) ==
+
=== KeyRaider (August 2015) ===
   
 
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device."
 
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device."
   
= Tools developed as part of research =
+
== Tools developed as part of research ==
   
== Instastock (November 2011) ==
+
=== iSAM (June 2011) ===
  +
  +
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.
  +
  +
=== Instastock (November 2011) ===
   
 
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.
 
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.
   
== Mactans (July 2013) ==
+
=== Mactans (July 2013) ===
   
 
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.
 
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.
   
= Tools for sale to the public =
+
== Tools for sale to the public ==
   
== Copy9 ==
+
=== Copy9 ===
   
 
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field."
 
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field."
   
== InnovaSPY ==
+
=== iKeyGuard Key Logger ===
  +
  +
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."
  +
  +
=== InnovaSPY ===
   
 
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool.
 
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool.
   
== mSpy ==
+
=== mSpy ===
   
 
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."
 
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."
   
== OwnSpy ==
+
=== OwnSpy ===
   
 
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required."
 
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required."
   
== Spy App ==
+
=== Spy App ===
   
 
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."
 
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."
  +
  +
=== SpyKey ===
  +
  +
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring."
   
 
[[Category:Malware research]]
 
[[Category:Malware research]]

Revision as of 11:27, 1 September 2015

This is an incomplete draft list of known malware (including spyware, adware, trojans, viruses, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool.

The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out this guide to making informed guesses about whether packages are reasonable to install.

Please help expand this article with more examples and details! To edit it, you can request an account on TheiPhoneWiki if you don't have one.

Tools found in the wild

iKee and Duh (November 2009)

The Ikee-virus is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.

Two weeks later, the similar Duh worm spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."

"Find and Call" (July 2012)

Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: Kaspersky SecureList, Ars Technica, Sophos NakedSecurity.

FinSpy Mobile (August 2012)

FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite includes spyware tools for many mobile operating systems, including iOS.

AdThief/Spad (March and August 2014)

AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as explained by Kaspersky Threatpost. Security researchers estimated it had infected 75,000 devices.

Unflod (April 2014)

Unflod is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014.

Hacking Team tools (June 2014 and July 2015)

Hacking Team is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.

AppBuyer (September 2014)

AppBuyer, as discussed in this article by Palo Alto Networks, is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.

WireLurker and Masque Attack (November 2014)

As discussed at Misuse of enterprise and developer certificates: according to Palo Alto Networks, WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."

Masque Attacks are a related technique, also discussed by Palo Alto Networks: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."

Xsser mRAT (December 2014)

Xsser mRAT is a piece of malware that targets jailbroken devices. As described by Akamai: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."

XAgent (February 2015)

XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in this article by Trend Micro. Also covered by PCWorld.

Lock Saver Free (July 2015)

Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. Discussion on Reddit.

KeyRaider (August 2015)

KeyRaider, as discussed in this article by Palo Alto Networks, is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device."

Tools developed as part of research

iSAM (June 2011)

iSAM is a malware tool developed by security researchers as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the Star exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.

Instastock (November 2011)

Charlie Miller, a security researcher, submitted an app to the App Store called Instastock to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.

Mactans (July 2013)

At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but can insert malware if you plug an iOS device into it. The iOS device does not have to be jailbroken.

Tools for sale to the public

Copy9

Copy9 is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field."

iKeyGuard Key Logger

iKeyGuard Key Logger is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."

InnovaSPY

InnovaSPY is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: InnovaMonitor, a monitoring app for use with the spy tool.

mSpy

mSpy is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."

OwnSpy

OwnSpy is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required."

Spy App

Spy App is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."

SpyKey

SpyKey is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring."