The trojan, which Mac anti-malware company Intego is calling iBotnet.A, scans addresses on the local network, along with predefined blocks owned by ISPs in the Netherlands, Portugal, Hungary, and Australia.
When the trojan finds an address occupied by a suitable target, it copies itself to the iPhone, and changes the root password for the device from 'alpine' (a default password) to 'ohshit'.
The trojan then connects to a Lithuanian server and downloads new files, effectively turning it into a dropper application. It also harvests network information about the iPhone and SMSs and sends it to the remote server, Intego said.
Each iPhone also gets given a unique identifier, which enables the trojan owners to reconnect to any iPhone storing valuable information, but which also acts as a quality control mechanism to avoid non-infected iPhones from connecting to the server.
The trojan malware authors have also specifically targeted a Dutch bank, by changing an entry in the iPhone's hosts file for the bank's website, to direct users to a bogus site so that login credentials can be harvested.
This iPhone trojan, like two other pieces of malware that appeared earlier this month, targets jailbroken iPhones with SSH installed.
Previously, malware had surfaced that merely changed the iPhone's wallpaper as a proof of concept. Then, another tool emerged that scanned wireless networks for vulnerable iPhones and harvested their data. This is the first piece of malware that spreads from phone to phone, and exploits the vulnerability to drop malicious executable code.