Attackers, perhaps of Russian origin are infecting the iPhones linked to government, defence and media sectors with dangerous spy malware capable of breaching non-jailbroken devices, researchers say.

The XAgent malware part of attacks unveiled last year against Windows devices has moved to iOS targeting iOS 7 and to much lesser effect iOS 8.

About a quarter of Apple users still run iOS 7.

Trend Micro threat researchers Lambert Sun, Brooks Hong, and Feike Hacquebord said the malware could monitor and siphon media, directories, text messages to remote servers and capture photos and audio on jailbroken devices.

"The XAgent app is fully functional malware," the trio said in a research note.

"The exact methods of installing these malware is unknown; however, we do know that the iOS device doesn't have to be jailbroken ... we have seen one instance wherein a lure involving XAgent simply says 'tap here to install the application'."

That attack relied on Cupertino's ad hoc provisioning used by app developers to enable installation with a link.

Attacks against iOS 7 devices quietly restarted when closed and remained invisible to the user as a background process. It fared far worse on iOS 8 where it had to be manually started on reboot by victims and could not hide.

Researchers said the malware appeared to be carefully maintained and consistently updated

XAgent was tied to a campaign dubbed Operation Pawn Storm targeting anti-Russian actors linked to the Ukraine conflict (pdf) which used typosquatting and phishing to compromise high-profile victims.

The command and control server used in the attacks was in operation at the time of research. ®