The first warnings about the Trojan were posted on Saturday on the iPhone modification forum ModMyiFone.com, said security vendor F-Secure. When installed, the Trojan appeared to do nothing more than display the word "shoes", according to the ModMyiFone post.
However, when a user attempted to uninstall the malicious code, the application wiped files from the /bin directory, breaking "Erica's Utilities" such as sendfile. Erica's Utilities are a collection of command-line utilities for the iPhone, according to security vendor Symantec, which warned on Monday that the Trojan also overwrites OpenSSH, an open-source encryption protocol.
The Trojan, known as "iPhone firmware 1.1.3 prep", or "113 prep", is the first to be seen in the wild, according to Symantec researcher Orla Cox.
"This is technically the first Trojan horse seen for the iPhone; however, it does appear to be more of a prank than an actual threat," Cox wrote in a blog post. "The impact of uninstalling the 'Trojan' would appear to be an unintended side effect."
Affected users need to uninstall the Trojan and reinstall affected files, according to Symantec. The risk to users is minimal as they would have to choose to install the bogus package and the site which was hosting it has now been taken offline, wrote Cox.
Both Symantec and F-Secure warned that users should be cautious when installing third-party iPhone applications. Apple warned in September last year that its own updates could break unlocked iPhones running unofficial iPhone software.