The DDSpy malware is capable of uploading SMS messages, call logs, and recorded phone calls.
The iOS app uploads detailed meeting data, including personal notes, to LinkedIn's servers.
Jon Oberheide and Charlie Miller will present their findings later this week at SummerCon.
Malicious versions of Angry Birds, Assassins Creed and other popular apps stole thousands of dollars from unsuspecting victims.
The researchers have already collected more than 1,200 malware samples.
Clueful warns users if other apps on their iPhones are tracking their location, reading their address book, and more.
The researchers say the vulnerability could allow attackers to deliver malicious content to smartphone users.
The FBI says travelers are being targeted through pop-up windows when they connect to the Internet in hotel rooms.