An Android version was also uncovered with even more capabilities. However, the malware isn’t circulating on official app stores. Nor does it exploit any iOS vulnerabilities. Instead, the creators of the malware have been tricking victims into installing the malicious app and then granting all the necessary configurations, including powerful device permissions via Apple's TestFlight or Mobile Device Management profile system.

So… not malware or a Trojan. Just a regular app that people are being tricked into installing, then tricked into setting up MDM…

I thought for sure this was going to be a security flaw. Turns out the security is fine