Hack-for-Hire Group Exposed: Targeting Android Devices and iCloud Backups
Security researchers have uncovered a sophisticated hack-for-hire operation targeting journalists, activists, and government officials across the Middle East and North Africa. This campaign employed phishing attacks to infiltrate iCloud backups and messaging applications like Signal, alongside deploying Android spyware to gain full control over victims’ devices.
The emergence of such operations underscores a growing trend where government agencies outsource cyber-espionage activities to private entities. These commercial companies develop and supply spyware and exploits, enabling law enforcement and intelligence agencies to access data on individuals’ smartphones.
Digital rights organization Access Now documented three specific attacks between 2023 and 2025. The victims included two Egyptian journalists and a Lebanese journalist, the latter’s case also being highlighted by digital rights group SMEX. Mobile cybersecurity firm Lookout collaborated in these investigations, revealing that the campaign’s reach extended beyond civil society members. Targets also encompassed individuals within the Bahraini and Egyptian governments, as well as entities in the United Arab Emirates, Saudi Arabia, the United Kingdom, and potentially the United States or alumni of American universities.
Lookout’s analysis suggests that the perpetrators are affiliated with a hack-for-hire vendor linked to BITTER APT, a hacking group suspected by cybersecurity firms to have ties to the Indian government. Justin Albrecht, principal researcher at Lookout, indicated that the company behind these attacks might be an offshoot of the Indian hack-for-hire startup Appin, pointing to a firm named RebSec as a possible suspect. In 2022 and 2023, Reuters conducted extensive investigations into Appin and similar India-based companies, exposing how these entities are allegedly contracted to hack company executives, politicians, military officials, and others.
