The article doesn't make it clear, but I'm assuming that if you have to install the package on an iPhone then this particular trojan is only for iPhones that people have hijacked, rather than an application that can get itself onto a normal iPhone that doesn't let you put malware onto it (that being Apple's point about locking down the phone)?

If so, isn't this a point in favour of Apple's policy of not letting iPhone users break their phones by putting unqualified software on them?

Hopefully this will be a bit of a wake up for people who have opened their phones up using a massive security hole (i.e. a TIFF exploit that allows arbitrary code execution) and then proceeded to grab unverified programs without a second thought to what they're actually doing.

One of the big failings of the iPhone currently is that everything runs as root. This is probably one of the reasons it is currently locked down and hopefully when the SDK comes out it will no longer be the case (or at least I would hope Apple wouldn't be stupid enough to leave everything running as root when user installable apps become official!).

Installing unknown software that will run as root onto a UNIX device when that device can also make phone calls is a really, really dumb idea - premium rate phone scam anyone?

It was probably Apple that wrote/released it :-)

More business for Symantec and the likes.

We did. You weren't supposed to tell anyone.

the iHitSquad will arrive in a few moments to correct this.

Hail Steve!

And yet the dumb Iphoney users will always fall for it hook line and sinker !

Can't wait for the better and safer and secure by nature Linux version !

It's a phone, not a multi-user server. Whether you run as root or as whatever, the account still needs permissions to send sms messages, make phone calls, read emails, delete them, etc, etc...

Sandboxing the browser is another matter, but hardly what you're thinking would be a 'smart' idea.

oh and heystoopid (how appropriate), as you're waiting for the 1337 h@xx0r linux alternative i'm guessing you're super extra technically savvy.

So, do you mind sharing *exactly* what would make running Linux on a phone safer as opposed to osx or what-have-you? I'm intrigued, particularly as you're not talking about a specific implementation such as Android or OpenMoko. So i'm guessing you mean exclusively the Linux kernel.

Even just one specific technical difference that impacts security would be great.

Thx, bai!

Its a fake story. Anything that Apple releases is super special awesome and never gets viruses or trojans ever.

and all Apple products are hackproof too.

Finally, an Apple device that someone can be bothered to write malicious code for......

"Can't wait for the better and safer and secure by nature Linux version !"

Er... lemme see... "secure by nature?" *shaking head sadly*

Let me clue you in: No multi-purpose operating system is "secure by nature." Not even OpenBSD. Which is already running on the iPhone underneath all the neat iCandy.

@stizzleswick by your definition and the GPL rules of the game any open source software used in commercial devices then the issuer of said devices must issue said source code to all users with no ifs buts or maybes and that is the law as has been interpreted even in the land of the unfree under the grand drunken drug addicted dear leader who ignores his own rules and laws !

So thus where is this source code issuing forth from god phones home web site that be the question ?

heystoopid please do some research before responding to a better informed commenter than yourself. It is public knowledge that OS X is Unix based on FreeBSD (therefore you're stupid). And the code you so wish to see, you will find at the following location...

http://www.opensource.apple.com/darwinsource/

And I quote:

'If you like open source development, you'll love Mac OS X. This fully-conformant UNIX operating system—built on Mach 3.0 and FreeBSD 5...' (http://developer.apple.com/opensource/index.html)

Well done on calling 'heystoopid'..

Heystoopid: I too would like to see your broad outline as to how Linux will make the i-groan more "secure by nature"..

I have been a long time reader of The Reg and to be honest, the amount of pure drivvle spouted by these supposed Linux gurus has really begun to grind my tits...

It does make me laugh when I read how the iPhone is automatically prefixed as 'much hyped'... as though all other phone makers aren't desperately trying to hype their own products, and would sell their childrens' kidneys to get the kind of publicity the iPhone does.

There's one very good reason that Apple's products get the press; they're usually worth it.

@Nathan: Thank you for pointing out my mistake; of course it's not OpenBSD -- I didn't remember which flavour of BSD it was and grabbed the wrong one instead of looking it up first. My bad.

@heystoopid: "by your definition..." I didn't define anything in my earlier post... and it seems you completely failed to address the one question I had opened up, namely the issue of any OS being "secure by nature."

I should probably mention that I am a long time user of various flavours of Linux, BSD et al and prefer them to other operating systems. But that does not blind me to the fact that they are not, in fact, "secure by nature," nor flawless in any other way.

If I recall in the past some of the reasons for certain iPhone getting bricked is because the firmware upgrade detected that third party software was on the phone.

The name of the package "iPhone firmware 1.1.3 prep" tells me this was an attempt at creating a package that will prepares the phone for the rumored 1.1.3 firmware install. It does seem that the package description was not clear on it purpose and was not tested properly.

To be called a "Trojan" by Symantec I think was done just to ride the publicity coattail created by the iPhone.

As for the source code of packages being release, yes most of the codes for these installs are available.

Can someone decide to release a malicious install for the iPhone? YES

But someone can decide to make there own app for any flavor of BSD, Lunix, etc that might be considered a development package and could result in malicious behavior.

..

I saw an advert for a Mac in a local PCworld, saying that it's the "Hack-resistant, Virus-resistant" solution.. trying to sell it like it's the Holy Grail.

I'm not a PC Fanboi, or an iDrone, but I personally can't stand the iPhone, or this whole iLife attitude of Apple... The iPhone, It looks nasty, is overpriced, over-hyped garbage. iPod - You can get the same devices from other manufacturers cheaper, and with more support.

I look forward to the time where something like Android or something else comes out and pisses over the iPhone. I sincerely hope they do anyway.