Hack-for-hire group caught targeting Android devices and iCloud backups

SiliconFeed EditorialApril 9, 2026

hack-for-hire Android spyware iCloud security journalist surveillance BITTER APT mobile security

Sections and tags — in the Topics menu Search the feed

At a glance:

Security researchers uncovered a hack-for-hire campaign targeting journalists, activists, and government officials across the Middle East, North Africa, and beyond.
The group used phishing attacks to compromise iCloud backups and Signal accounts, plus deployed Android spyware called ProSpy disguised as popular messaging apps.
Researchers linked the campaign to BITTER APT, a hacking group suspected of ties to the Indian government, with possible connections to the defunct Indian hack-for-hire startup Appin.

Sophisticated mobile espionage campaign uncovered

Security researchers have identified a coordinated hack-for-hire operation targeting journalists, activists, and government officials across the Middle East and North Africa. The campaign, documented by digital rights organizations Access Now and SMEX alongside mobile cybersecurity company Lookout, represents a significant escalation in privately contracted surveillance operations. The hackers deployed a multi-pronged approach that combined credential phishing with custom Android spyware, enabling them to access sensitive communications and device data from their targets.

The investigation revealed three documented attack instances spanning 2023 through 2025, though researchers believe the actual number of victims is likely much higher. Two Egyptian journalists and one Lebanese journalist were confirmed as targets, with the Lebanese case also documented by SMEX. What sets this campaign apart is its breadth—Lookout's analysis indicates the attacks extended well beyond civil society members to include targets within the Bahraini and Egyptian governments, as well as individuals in the United Arab Emirates, Saudi Arabia, the United Kingdom, and potentially the United States or alumni of American universities.

Technical tactics: iCloud hacking and Android spyware

The attackers employed distinctly different methodologies depending on their target's device platform. For iPhone users, the hackers focused on phishing attacks designed to harvest Apple ID credentials, which would then allow them to access victims' iCloud backups. This approach effectively provides access to the full content of a target's iPhone without requiring the more sophisticated and expensive iOS spyware that commercial vendors typically sell. Access Now noted that this technique represents "potentially a cheaper alternative to the use of more sophisticated and expensive iOS spyware."

When targeting Android users, the campaign utilized a custom spyware suite called ProSpy. The malware was disguised as legitimate messaging and communications applications popular in the Middle East, including Signal, WhatsApp, Zoom, ToTok, and Botim. In some cases, the hackers attempted to trick victims into registering a new device—controlled by the attackers—to their Signal account, a technique that has gained popularity among various state-sponsored hacking groups, including Russian intelligence operations.

Tracing the actors: BITTER APT and Indian hack-for-hire connections

Lookout's research concluded that the hackers behind this espionage campaign work for a hack-for-hire vendor with connections to BITTER APT, a hacking group that cybersecurity companies suspect has ties to the Indian government. This connection places the operation within a broader ecosystem of commercial surveillance services that have emerged from India's technology sector. Justin Albrecht, principal researcher at Lookout, suggested that the company behind the campaign may be an offshoot of the Indian hack-for-hire startup Appin, with RebSec identified as a possible suspect.

Extensive investigations by Reuters in 2022 and 2023 exposed how Appin and similar India-based companies are allegedly hired to hack company executives, politicians, military officials, and others. Appin apparently shut down following this scrutiny, but Albrecht emphasized that the discovery of this new campaign demonstrates that the activity "didn't disappear and they just moved onto smaller companies." RebSec could not be reached for comment, as the company has deleted its social media accounts and website.

The growing hack-for-hire economy

This campaign highlights a growing trend of government agencies outsourcing their hacking operations to private hack-for-hire companies. Some governments already rely on commercial companies that develop spyware and exploits used by police and intelligence agencies to access data on people's phones. The model offers significant advantages to state clients: plausible deniability, as Albrecht noted, since these groups "run all the operations and infrastructure." Additionally, these hack-for-hire groups are likely cheaper than purchasing commercial spyware licenses.

Mohammed Al-Maskati, an investigator and director at Access Now's Digital Security Helpline who worked on these cases, observed that "these operations have become cheaper and it's possible to evade responsibility, especially since we won't know who the end customer is, and the infrastructure won't reveal the entity behind it." While groups like BITTER may not possess the most advanced hacking and spy tools available, their tactics remain highly effective against targets who may not have access to enterprise-grade security resources.

Implications for press freedom and civil society

The targeting of journalists and activists in this campaign represents a direct threat to press freedom and civil society organizations in the affected regions. Journalists investigating sensitive topics rely on secure communications to protect their sources and themselves. The compromise of Signal accounts and iCloud backups can expose not only the journalists' own communications but also those of their confidential sources, potentially putting lives at risk and chilling investigative journalism.

The international scope of the targeting—including potential victims in the United States and the United Kingdom—suggests that these operations may have implications beyond the Middle East and North Africa. As hack-for-hire services become more affordable and accessible, the risk landscape expands for anyone considered a target by well-resourced adversaries, whether state actors or their proxies.

Editorial SiliconFeed is an automated feed: facts are checked against sources; copy is normalized and lightly edited for readers.

Briefing

Access Now

Digital rights organization that documented attacks against journalists and operates a Digital Security Helpline for at-risk individuals

Lookout

Mobile cybersecurity company that investigated the Android spyware and traced the campaign's technical infrastructure

SMEX

Digital rights organization in the Middle East that documented the Lebanese journalist case

BITTER APT

Hacking group suspected by cybersecurity researchers of having ties to the Indian government

Appin

Indian hack-for-hire startup exposed by Reuters investigations in 2022-2023, now apparently defunct

RebSec

Suspected successor company to Appin identified by Lookout researchers as possible operator of the campaign

Justin Albrecht

Principal researcher at Lookout who led the investigation into the hack-for-hire campaign

Mohammed Al-Maskati

Investigator and director at Access Now's Digital Security Helpline who worked on the documented cases

FAQ

What is a hack-for-hire group and how does it differ from state-sponsored hackers?

A hack-for-hire group is a private company that conducts cyberattacks on behalf of clients, typically governments or other organizations seeking to spy on specific targets. Unlike traditional state-sponsored hackers who work directly for government agencies, hack-for-hire firms provide a layer of separation that offers clients plausible deniability. These companies handle all operational aspects, including infrastructure and execution, allowing their customers to maintain deniability about involvement. This model has grown increasingly popular as it can be cheaper than developing in-house surveillance capabilities and provides political cover.

How did the attackers compromise iCloud backups in this campaign?

The hackers used phishing attacks to trick iPhone users into revealing their Apple ID credentials. Once they obtained these credentials, they could access the victims' iCloud backups, which effectively contain the full content of the target's iPhone—including messages, photos, contacts, and other data. This approach represents a potentially cheaper alternative to deploying sophisticated iOS spyware that would require exploiting specific vulnerabilities in Apple's mobile operating system. The method is particularly effective because many users store years of data in their iCloud accounts without considering the security implications.

What can individuals and organizations do to protect themselves against such attacks?

Protecting against targeted hack-for-hire operations requires a multi-layered approach. Users should enable two-factor authentication on all accounts, preferably using hardware security keys rather than SMS-based codes which can be intercepted. For high-risk individuals like journalists and activists, using encrypted communication platforms with proper security configurations is essential—though this campaign showed that even Signal accounts can be compromised through device registration tricks. Regular security audits, device security updates, and awareness training about phishing tactics are critical. Organizations supporting at-risk individuals, such as Access Now's Digital Security Helpline, provide valuable resources and incident response assistance.