Of course, an attacker wouldn't call their application "Spyphone." Rather, they'd integrate such capabilities into an application that purports to be useful, or fun, such as a game - and Trojan horse designed for the smartphone is born.
The trick would be getting such a Trojan past the AppStore application gatekeepers.
That, says Seriot in this presentation [.pdf], isn't as difficult as one might expect. Unlike known viruses, which could be found through signatures, Trojans are more difficult to identify. The spyware or keystroke logging capabilities could be left latent for weeks, or months, until many have downloaded the application. And the data sent back to the attacker could be encrypted. Perhaps the spyware capabilities could be added at a later date, through what appears to be a standard update. How long would it take such a nefarious application to be spotted?
Who knows for sure, but probably long enough to do considerable damage.
I do agree with Seriot that, because AppStore reviewers have to examine so many applications, and it's easy enough to obfuscate spyware capabilities, that something bad is bound to get through one day.
Some may argue that the threat of a Trojan application getting into the AppStore and into user devices is paranoid thinking - I say it's just a matter of time. But this threat is no different than the Trojan threat that has always existed on PCs and smartphones.
Seriot recommends Apple make it so that the end user would be prompted to authorize applications to read or write to the AddressBook and that the keyboard cache be made a service of the operating system. He also suggests a firewall be placed on the iPhone that can vet outgoing traffic. Sounds reasonable to me.
He also contends, until then, that users keep the iPhone on Airplane Mode. I wouldn't go so far as to keep Airplane Mode on, but it's certainly a good idea to be careful what games and applications are downloaded from the AppStore.