New Hack-for-Hire Campaign Hits Android Devices and iCloud Backups Across the Middle East

Security researchers have uncovered a sophisticated hack-for-hire group that has been targeting journalists, activists, and government officials across the Middle East and North Africa. This campaign, active between 2023 and 2025, uses phishing attacks to access iCloud backups and deploy Android spyware, raising fresh concerns about the growing private espionage industry.

According to reports from Access Now, SMEX, and Lookout, the hackers employed a range of tactics to infiltrate devices. For iPhone users, they tricked victims into surrendering Apple ID credentials, gaining access to iCloud backups that contained the full contents of their phones. For Android users, they distributed spyware called ProSpy, disguised as popular apps like Signal, WhatsApp, and Zoom, as well as regional messaging apps ToTok and Botim.

This hack-for-hire group appears to be an offshoot of the infamous Indian startup Appin, which was exposed by Reuters in 2022 and 2023 for allegedly hacking corporate executives and government officials. Justin Albrecht, principal researcher at Lookout, noted that while Appin has since shut down, its operations have simply migrated to smaller companies like RebSec, which has since deleted its online presence.

How the Hack-for-Hire Group Operates

The campaign targeted at least three journalists—two in Egypt and one in Lebanon—but Lookout’s investigation suggests the scope is much wider. Victims include government officials in Bahrain, Egypt, the United Arab Emirates, Saudi Arabia, and even individuals in the United Kingdom and possibly the United States. The researchers linked the group to BITTER APT, a hacking collective suspected of ties to the Indian government.

One of the most alarming aspects of this hack-for-hire group is its use of “plausible deniability.” By outsourcing operations to private vendors, governments can avoid direct responsibility. “These operations have become cheaper and it’s possible to evade responsibility, especially since we won’t know who the end customer is,” said Mohammed Al-Maskati, an investigator at Access Now.

Android Spyware and Phishing Attacks: The Technical Details

For Android users, the hackers deployed ProSpy, a spyware that masquerades as legitimate apps. Victims were lured into downloading fake versions of Signal, WhatsApp, or other messaging tools, which then granted attackers full control over the device. This Android spyware could capture messages, photos, and even microphone and camera access.

For iPhone users, the approach was different but equally dangerous. Hackers used phishing emails and messages to trick targets into revealing their Apple ID credentials. Once obtained, they accessed iCloud backups, effectively bypassing iOS security without needing expensive zero-day exploits. As Access Now noted, this is “potentially a cheaper alternative to the use of more sophisticated and expensive iOS spyware.”

Signal Account Hijacking

In some cases, the hackers attempted to register a new device—controlled by them—to the victim’s Signal account. This technique, popular among various hacking groups including Russian spies, allows attackers to intercept encrypted messages without breaking Signal’s encryption itself.

The Growing Threat of Commercial Spyware

This campaign highlights a troubling trend: the rise of commercial spyware and hack-for-hire services that are more accessible than ever. Unlike state-sponsored operations, these private groups offer lower costs and greater anonymity. “For their customers, these hack-for-hire groups are likely cheaper than purchasing commercial spyware,” Albrecht explained.

Building on this, the researchers emphasize that even less sophisticated tools can be highly effective. The hackers behind this campaign may not have the most advanced exploits, but their social engineering and phishing tactics proved sufficient to compromise high-value targets.

What This Means for Digital Security

For journalists and activists in the Middle East, this campaign serves as a stark reminder of the risks they face. As a result, experts recommend enabling two-factor authentication on all accounts, avoiding suspicious links, and regularly reviewing connected devices. For organizations, investing in security awareness training and monitoring for unusual account activity is crucial.

This discovery also underscores the need for stronger regulation of the spyware industry. While some governments have begun to address the issue, the shadowy nature of these companies makes enforcement difficult. The Indian embassy in Washington, D.C. did not respond to requests for comment.

For more insights on protecting your devices, check out our guide on securing your phone from spyware and learn about common phishing tactics.