The iPhone receives a fair amount of praise for its security features. The Massachusetts Institute of Technology says that the handset’s encryption is so good, that it’s tough for law enforcement agencies to perform forensics.

But this doesn’t mean it’s impenetrable, as hackers continue to find flaws. In fact, another big one was recently discovered in the form of spyware, which can take over the iPhone and give a user remote access to its contents…

Bloomberg has the scoop:

“FinFisher spyware made by U.K.-based Gamma Group can take control of a range of mobile devices, including Apple Inc. (AAPL)’s iPhone and Research in Motion Ltd. (RIM)’s BlackBerry, an analysis of presumed samples of the software shows.

The program can secretly turn on a device’s microphone, track its location and monitor e-mails, text messages and voice calls, according to the findings, being published today by the University of Toronto Munk School of Global Affairs’ Citizen Lab.

People are walking around with tools for surveillance in their pockets,” says John Scott-Railton, a doctoral student at the University of California Los Angeles’ Luskin School of Public Affairs who assisted with the research.”

To be clear, the Gamma Group has been making this kind of spyware for desktop computers for a while now. It’s just that no one was really aware that the powerful tool had gone mobile. And from the sounds of it, the handset doesn’t need to be jailbroken or rooted for the software to work, which means that pretty much anyone can be targeted.

An iPhone can become infected with the FinSpy trojan by being tricked into going to a Web link and downloading the malware, which can be disguised as something other than FinSpy. Gamma says that this process can be as simple as sending someone a link that looks like its from the phone-maker, with a message like “please install update.”

Keep in mind that this dynamic software is only sold to, and used by, government agencies for law enforcement purposes. But it’s still kind of creepy that it exists. And we might have never known about it if it hadn’t been for the research from the aforementioned universities. It was meant to be a secret, which actually makes it all the more creepier.

Microsoft says its anti-malware software in the latest version of Windows Phone blocks the FinSpy trojan, but it sounds like older Windows Mobile handsets are still susceptible. It encourages users to avoid clicking links or downloading software from unknown sources. RIM offers a similar warnings to its users, who are also vulnerable to the spyware.

Both Apple and Google declined to comment.

  • Tjandy

    WOW cool.

  • I was in shock until I read “An iPhone can become infected with the FinSpy trojan by being tricked into going to a Web link and downloading the malware,”

    Microsoft still uses Anti-virus? Jesus. That’s old school. Apple, just send us the security update… just in case, for the most “distracted” people…

    • OS X has built-in anti-virus, and has since Snow Leopard.

      • Shugo Asakura

        What does OSX have to do with the mobile OS’s?

      • Seriously? iOS is a modified version of OS X, therefore it has the same flaws as OS X, the same vulnerabilities, along with the vulnerabilities of phone hardware/software.

      • iOS came from the OSX, thats true. But since they run in different architectures, your statement is invalid. And they use different security levels. That’s why on OSX you can install everything you want and on iOS, only from AppStore (unless you have a JB device).

      • It’s still the same code base, and will have the same base flaws. The architecture is different, yes, hence why it’s “based” off OS X and *isn’t* OS X.

  • If it doesnt used by any hostile group that attend to damage my device I dont mind.
    Some goverments are defently need that flaw to foil threats

  • Well apple will now most likely patch it before the fandroids come and say “look I guess your OS isn’t so secure after all”

    • Keep in mind brother, even if iOS got 1.. or 2 malware it’s still more secure than Android. There’s no OS 100% “bullet proof” but there are the ones who are more secure than others. iOS and MacOSX beat Windows and Android in matter of security. They use the “excuse” that it’s all about Marketshare. But since I remember, iOS used to be on the 1st place and Android in second, and Android already had many malware, even inside their own market.

      Cheers! 🙂

      • It’s OS X, not Mac OS X. They took the Mac out.

      • It’s still Mac OS X for older versions.

      • iOS and OSX is essentially the same operating system. Windows isn’t less secure, it’s just -really- buggy.

    • Nothing is secure. New vulnerabilities are found in OSes, websites, software, etc. almost every day.

  • CollegiateLad

    I won’t be losing any sleep.

  • Great to be a Windows Phone user ;D

    • For the first time I said “not bad” to a Microsoft software (The UI in special) but lost immediately the faith when they said that all “1 year old phones” will not get the WP8 update… that’s not cool at all, specially when there’s a lot great and powerful devices with WP.

      • You’d have to be pretty stupid not to realize that the 1st and 2nd gen. of Windows Phones weren’t going to life for very long. They ran outdated hardware and they were missing key features, that had been on other platforms for ages. I can’t wait to replace my HTC Titan ( premium WP ) with an ATIV S, if something better doesn’t come up from either Nokia or HTC. I really hate the buttons on the ATIV S and for some reason Samsung felt like they had to put their logo everywhere on their phones, but the specs and the materials are pretty neat!

      • No no no.. actually you comment made all sense from wich one are the stupid here. Because first, you think it’s cool being forced to buy one phone each year to stay updated, and second, buying a Samsung. Tipical Samsung/Windows user.. never learn.

      • Cause Apple doesn’t release a new phone every year or anything…

      • And? iPhone 3GS has 3 years old and still have the iOS6 update. Without all the features, yes, sure.. he can’t handle most of them (others he can) but for sure Apps that update for the new iOS API’s will work fine on the the iPhone 3GS, wich makes people still using most of the updated apps and get a extra features too.

        Never forget, Apps still have “operative system requirements” most of them because of the new API’s and Frameworks released on most of the iOS updates.

        And if you check the list, iOS6 for the iPhone 3GS still got a pretty decent features list. 3 Years old model.

      • You said “being forced to buy one phone each year to stay updated” as if Apple doesn’t make new phones every year that the previous year models don’t have, i.e. staying “updated.” Every phone company does it, not just the Windows Phone 8 phones. You even stated that the 3GS doesn’t have all the features in iOS 6, as neither will the 4, and mostly likely the 4S (if Apple surprises us with something new in the Keynote, like when Siri was announced). It’s a business model to keep revenue up: offer new features your other products won’t have so people buy it.

      • Read again what I’ve said, in special the API and Framework part. Being forced is like “I cant install this App because the system requires the latest OS version, wich I can’t install because they didn’t a update for my device”.

        Hardware requirements is not the same as Operative System requirements. that’s why on every OS update, all apps should update for the latest API’s and Framework versions. If they didn’t a “OS upgrade” to older devices, could be VERY HARD for them to run those apps. That’s one of the main reasons why Android world is a big mess… too much versions, too much (hardware) variatons…no one knows whats apps run on their devices.. and other get angry because they have the latest OS and latest hardware and can run some apps…

        Last time I check, Samsung Galaxy S3 owners got mad because they didn’t have available the Google (Siri competitor) on their devices. And Google announced that iPhone 3GS, 4, and 4S will get it… you can find that info easily on their own Youtube video.

      • The Galaxy S3 has S-Voice, and the 3GS and 4 have nothing like Siri at all. I’ve rooted my phone and put Google Now on it with no problems, but you still can’t get full Siri on a jailbroken 4 or 3GS.
        And there are a TON of apps that can’t be used on the “3rd” Gen 8GB iPod Touch (the one that was updated but not really). You can use the devices still, but you can’t use all the apps on it. All devices have to stop being supported sometimes, but claiming that Apple doesn’t stagger what devices get what each year is a flat-out lie.

      • Wtf man.. Galaxy S3 is one of the latest Samsung Galaxy S series…its newer than the iPhone 4S… how can you compare it to the 3 years old iPhone 3GS?

        Do you have the S-Voice on Samsung Galaxy S1?!!

        And BTW, if you JB your iPhone, you can get SIRI too.. so lets not even take this conversation to the rooted and jailbroken devices. Everything you just said now doesn’t make any sense at all..

      • You said “Last time I check, Samsung Galaxy S3 owners got mad because they didn’t
        have available the Google (Siri competitor) on their devices.” So you brought up the S3 first, don’t freak on me when you said it first.

        And you can get Siri on a jailbroken phone, but not fully, and it’s half functioning at best. And you can put Google Now on the S1, fully functioning.

      • Liu Zhenyu

        You have never tried spire and spite(siri ports for pre-4s) they are the same as siri, exactly

      • Yes I have, and really they were buggy as hell and barely worked.

      • Liu Zhenyu

        Assistant connect is flawless , at least for me, go check jeffs video

      • Once again, you’re totally missing the point.

      • So you bring up the S3, then freak out on me for talking about it, then say I’m missing the point? I think you’re missing the point. You brought it up, I talked about it because you brought it, and then get freaked out on? Yeah….

        And Android is a mess for Google because they allow the individual carriers to mod it (HTC Sense, Samsung TouchWiz), and when Samsung comes out with S-Voice, it makes it harder. Yes, it is a mess because of that.

        And Jelly Bean works great, is super smooth, it doesn’t suck. It took 4 versions, yes, but all software takes time to get working smoothly.

      • If you look at the current rate of mobile hardware development, then you’d find out that improvements are drastically made every year. Try using an iPhone 3GS and then an iPhone 4. The specs are crazy different. No one expects Microsoft to keep pulling this stunt in the future. It’s obvious that Windows Phone up ’till now have been in some sort of test zone. Microsoft obviously weren’t going to spend a lot of time and resources on something they’d end up losing millions on. Of course not. It’s the same with the first iPod. Apple learned with the Macintosh, that it was better to have something understocked, than overstocked.

  • And this is the very reason why I have been saying that allowing the President to carry a Blackberry poses a severe security risk. I can’t believe the Secret Service allowed that to happen.

    • Imahottguy

      I really hope that was a joke. It was right? Do you think that the president’s BB is not going to have some special software on it to ensure that it is secure? Just sayin’

  • FrankensteinBlack

    Another reason why stock iOS is so LAME! And issues of security will continue to grow. So don’t rely on Apple for security. Jailbreak your shit and add FIREWALL-IP and PMP! Sayin…

    • have you not been keeping track on android and their malware?

      • FrankensteinBlack

        Why don’t Apple and Google load virus and firewall software as part of the basic OS requirement? Ask yourself that? If you JB and load Firewall-IP on iOS or root and load Droidwall or Avast on Android. you’ll know why!

  • Bzzt, sorry, no. An iPhone cannot become infected unless it’s been jail-broken. There is no mechanism for installing a .app like this without already being compromised.

    And if you *read* the article, you’ll see they never claim it’s possible for iOS – just for “mobile devices”.

    • It could jailbreak it, the same way JailbreakMe jail broke devices back then. Not the same flaw, but the same ideology.

  • Wouldnt changing the root password of your iphone hinder a virus’s ability to “hack” into your iPhone?

  • I only ask because i’ve seen the App store pull bogus apps off the app store and if I was to create a virus, knowing full well that every non-jailbroken iPhone has the same internal root password (alpine) then imbed that virus in a bogus app in the app store and well, you get were the story goes from there…. So wouldnt changing that root password hinder that malware is some way?

  • air naji

    Some of you guys are straight up geniuses .. Thanks for all the interesting facts/opinions.

  • Cyberjays

    Such bull… How do you download a Trojan from a website when safari doesn’t have download capability?
    FAIL.

    • Obviously the creators found a way to bypass that…