Hack-for-hire Groups Exploit Android and iCloud Devices
Security researchers have uncovered a new wave of hack-for-hire operations targeting Android devices and iCloud backups, putting journalists, activists, and government officials across the Middle East and North Africa at risk. The attackers used phishing schemes and sophisticated spyware to gain access to messaging apps and private data. These revelations highlight the growing trend of outsourcing cyberespionage to private companies.
 |
| Credit: Bryce |
Government Outsourcing Fuels Hack-for-Hire Trend
In recent years, several governments have increasingly relied on commercial hacking companies to conduct espionage operations. These hack-for-hire groups develop spyware and exploits that law enforcement and intelligence agencies can use to access sensitive data on personal devices. Outsourcing provides plausible deniability and reduces the cost compared to purchasing expensive commercial spyware.
Researchers from digital rights organization Access Now documented attacks between 2023 and 2025 on Egyptian and Lebanese journalists. Additional investigations by the mobile cybersecurity company Lookout found that these campaigns also targeted officials in Bahrain, Egypt, the UAE, Saudi Arabia, and even entities in the United Kingdom and the U.S.
Connections to Indian Hack-for-Hire Startups
Lookout’s research suggests the hackers are linked to BITTER APT, a group believed to have ties to India. Investigators suspect these operations may involve offshoots of India-based companies like Appin, which was previously reported to hack executives, politicians, and military officials. While Appin has shut down, the discovery of these attacks indicates that smaller, independent groups have continued operations under similar models.
Justin Albrecht, a principal researcher at Lookout, notes that hack-for-hire groups offer clients anonymity while maintaining full control of infrastructure, making it difficult to trace the end user of the attacks. This model has allowed such campaigns to become more affordable and widespread.
Tactics Targeting iPhone Users
For iPhone users, hackers primarily relied on phishing techniques to steal Apple ID credentials. This approach grants access to iCloud backups, effectively exposing all content stored on a target’s device. Digital security experts consider this method a cost-effective alternative to high-end iOS spyware, demonstrating how even low-budget operations can cause significant breaches.
Access Now emphasized that while these attacks may not use the most advanced spyware, the results are still highly effective. iPhone users remain vulnerable due to human error, highlighting the critical importance of digital security awareness.
Android Devices Under Siege with ProSpy
Android targets were compromised using spyware called ProSpy, disguised as popular apps like Signal, WhatsApp, Zoom, ToTok, and Botim. Once installed, ProSpy allows hackers to control the device remotely and access private communications. In some cases, attackers tricked victims into linking a new device to their Signal account, a tactic also observed in operations linked to Russian hacking groups.
These Android-focused attacks reveal a pattern of exploiting both user trust and popular communication platforms to infiltrate sensitive networks. Researchers warn that even highly security-conscious users may fall victim if phishing tactics are convincing enough.
Global Reach of Hack-for-Hire Operations
While initial attacks focused on journalists and civil society in Egypt and Lebanon, the campaign’s reach extends to government officials and international targets. Lookout’s investigation suggests potential victims include American university alumni and individuals in Western governments. The cross-border nature of these attacks complicates law enforcement and highlights the need for coordinated international cybersecurity measures.
Mohammed Al-Maskati of Access Now notes that hack-for-hire operations have become cheaper and harder to attribute. The anonymity of these companies allows clients to evade responsibility while maintaining high operational impact.
Challenges in Attribution and Accountability
A major concern with hack-for-hire campaigns is the difficulty in identifying the true customer behind the attacks. Companies like RebSec, a suspected operator in this campaign, have deleted websites and social media accounts, leaving little trace of their operations. This lack of transparency gives both hackers and clients a shield against accountability, creating a complex web for investigators to navigate.
Despite the relatively modest sophistication of these groups, their tactics—including phishing, device spoofing, and disguised spyware—remain highly effective. Researchers emphasize that vigilance, secure communication practices, and multi-factor authentication are critical defenses for potential targets.
The Future of Hack-for-Hire Threats
Cybersecurity experts predict that hack-for-hire operations will continue to evolve, targeting both personal devices and organizational networks. As technology becomes more accessible, even small companies can run complex espionage campaigns at low cost. Governments and private sectors alike must adapt by enhancing cybersecurity protocols, educating users, and collaborating across borders to prevent widespread breaches.
While the full scope of these operations is still emerging, the exposure of these attacks underscores an urgent need for global awareness. Users of both Android and iOS devices are advised to exercise caution with unknown messages, apps, and login requests, reinforcing the critical role of proactive cybersecurity measures in a digital-first world.
In conclusion, hack-for-hire groups are expanding rapidly, targeting mobile devices and messaging platforms across multiple countries. These campaigns exploit both technical vulnerabilities and human behavior, making cybersecurity vigilance essential for individuals and organizations alike. Awareness, strong authentication practices, and timely software updates are crucial defenses against this growing global threat.
