Derek Brown and Daniel Tijerina of TippingPoint's Digital Vaccine Group built a malicious Weather.app for the iPhone that deliverers information about users including their GPS locations and phone activities back to a controller. Their test was only leveraged against jail broken iPhones, they did not try to pass the application into the iTunes AppStore. Due to the use of rigorous testing, digital signature process and Apple rejecting apps that "phone-home" or rely on private API's they felt it would be rejected. Their Malicious Weather.app did spread on underground sites that cater to jail broken iPhones.
This event supports Apple's recent decisions to block jail broken phones from the store, remove software which weakens the security of the iPhone and the institution of a rigorous validation and verification process of Apps before they are approved. However as was first discussed in a posting from Febuary it is only a matter of time before someone is able to upload an App to the iPhone store that Apple approves which will operate as malware or carry out malware type operations. This is not a matter of if but when, thus users should make sure to protect their devices with anti-virus Apps and backup their iPhone data. More importantly there is no reason to operate a jail broken iPhone. Organizations should make sure that their usage policies include that not device is jail broken and used for the organization's activities. Policy makers should get ahead of this ticking mobile time bomb.