Hack-for-hire group caught targeting Android devices and iCloud backups

Security researchers say they have identified a hack-for-hire group targeting journalists, activists, and government officials across the Middle East and North Africa. The hackers used phishing attacks to access targets’ iCloud backups and messaging accounts on Signal, and deployed Android spyware capable of taking over the targets’ devices.

This hacking campaign highlights a growing trend of government agencies outsourcing their hacking operations to private hack-for-hire companies. Some governments already rely on commercial companies that develop spyware and exploits used by police and intelligence agencies to access data on people’s phones.

Researchers from the digital rights organization Access Now documented three instances of attacks over 2023 through 2025 against two Egyptian journalists, and a journalist in Lebanon whose case was also documented by digital rights organization SMEX. 

Mobile cybersecurity company Lookout also investigated these attacks. The three organizations collaborated with each other and published separate reports on Wednesday. 

According to Lookout, the attacks go beyond members of Egyptian and Lebanese civil society, and include targets in the Bahraini and Egyptian governments, as well as targets in the United Arab Emirates, Saudi Arabia, the United Kingdom, and potentially the United States or alumni of American universities. 

Lookout concluded that the hackers behind this espionage campaign work for a hack-for-hire vendor with connections to BITTER APT, a hacking group that cybersecurity companies suspect has ties to the Indian government.

Justin Albrecht, principal researcher at Lookout, told TechCrunch that the company behind the campaign may be an offshoot of the Indian hack-for-hire startup Appin, and noted one such company named RebSec as a possible suspect. In 2022 and 2023, Reuters published extensive investigations into Appin and other similar India-based companies, which exposed how these companies are allegedly hired to hack company executives, politicians, military officials, and others. 

Appin apparently later shut down, but Albrecht noted that the discovery of this new hacking campaign shows that the activity “didn’t disappear and they just moved onto smaller companies.” 

These groups and their customers get “plausible deniability since they run all the operations and infrastructure.” And for their customers, these hack-for-hire groups are likely cheaper than purchasing commercial spyware, said Albrecht. 

Rebsec could not be reached for comment, as the company has deleted its social media accounts and website. 

⁨Mohammed Al-Maskati⁩, an investigator and director at Access Now’s Digital Security Helpline who worked on these cases, said that “these operations have become cheaper and it’s possible to evade responsibility, especially since we won’t know who the end customer is, and the infrastructure won’t reveal the entity behind it.”

While groups like BITTER may not have the most advanced hacking and spy tools, their tactics can still be highly effective. 

In the attacks part of this campaign, the hackers used several different techniques. When targeting iPhone users, the hackers tried to trick targets into giving up their Apple ID credentials in order to then hack into their iCloud backups, which effectively would have given them access to the full content of the targets’ iPhones. 

This is “potentially a cheaper alternative to the use of more sophisticated and expensive iOS spyware,” according to Access Now.

When targeting Android users, the hackers used a spyware called ProSpy, masquerading as popular messaging and communications apps like Signal, WhatsApp, and Zoom, as well as ToTok and Botim, two apps that are popular in the Middle East. 

In some cases, the hackers tried to trick victims into registering and adding a new device — controlled by the hackers — to their Signal account, a technique that has been popular among various hacking groups, including Russian spies.

A spokesperson for the Indian embassy in Washington, D.C. did not immediately respond to a request for comment.