It is hard, as on iOS they run every app in a sandbox with only managed APIs to do things with other apps and the system. This is a very nice foundation, especially combining it with the forced use of the store and long support.

So, as an attacker, you can only try to sneak in an app, which tricks you to give it the data or you need to get your hands on an unknown security issue in the API implementation, which would be much better to sale in the black market, then actually using it on your own as governments pay a lot for them

There are two options for viruses and malware on iPhone:

You download a malware infected app, which can trick you in entering your credentials. These do exist sometimes and are not always removed fast enough. So, just don’t download everything you see and put your private stuff in it.

The other option are zero day attacks, which are pretty rare and are luckily handled for a few millions, so they are normally not used for generic malware attacks, but for attacking specific important people.

So, usually you would just be affected by option 1, which requires you being stupid.

But there is another attack vector if you have all your personal stuff on your phone: Someone steals your phone and manages to unlock it by PIN. Then he has full access to everything. So, don’t use an insecure PIN!

Maybe you could also just call the number as the owner probably ordered a new SIM for the same number