Hacking group targeting Android devices and iCloud backups arrested

Security researchers announced that they have identified a hacking group targeting journalists, activists, and government officials in the Middle East and North Africa. The hacker used a phishing attack to access the target’s iCloud backups and messaging accounts on Signal, and introduced Android spyware that could take over the target’s device.

This hacking campaign highlights the growing trend of government agencies outsourcing hacking tasks to private hacking rental companies. Some governments already rely on commercial companies that develop spyware and exploits that police and intelligence agencies use to access data on citizens’ cellphones.

Researchers from digital rights organization Access Now documented three incidents of attacks against two Egyptian journalists and one Lebanese journalist between 2023 and 2025, which were also documented by digital rights organization SMEX.

Mobile cybersecurity company Lookout also investigated these attacks. The three organizations collaborated with each other and released separate reports on Wednesday.

According to Lookout, the attacks have gone beyond civil society members in Egypt and Lebanon to include targets in the Bahrain and Egyptian governments, as well as targets in the United Arab Emirates, Saudi Arabia, the United Kingdom, and in some cases, the United States and alumni of American universities.

Lookout concluded that the hackers behind the espionage operation are working for a hack-for-hack vendor with ties to BITTER APT, a hacking group that cybersecurity firms suspect has ties to the Indian government.

Justin Albrecht, lead researcher at Lookout, told TechCrunch that the company behind the campaign may be an offshoot of Indian hacking-for-hire startup Appin, and one such company, RebSec, may be a suspect. In 2022 and 2023, Reuters published an extensive investigation into Appin and other similar India-based companies, exposing how these companies were allegedly hired to hack corporate executives, politicians, military personnel and others.

Although Appin appears to have since shut down, Albrecht said the discovery of this new hacking operation shows that it “hasn’t disappeared, it’s just moved to smaller companies.”

These groups and their customers are subject to “plausible deniability, as they run all operations and infrastructure.” And for customers, Albrecht said, these specialized hacking groups are likely to be cheaper than purchasing commercial spyware.

Revsec could not be reached for comment as the company has deleted its social media accounts and website.

“These operations have become cheaper and allow them to avoid liability, especially since we don’t know who the end customer is and the infrastructure does not reveal the entity behind it,” said Mohammed Al Maskati, researcher and director of Access Now’s Digital Security Helpline, who worked on these cases.

Groups like BITTER may not have the most advanced hacking and spying tools, but their tactics are still highly effective.

In the attack portion of this campaign, the hackers used several different techniques. When targeting iPhone users, the hackers attempted to trick the targets into relinquishing their Apple ID credentials and hack into their iCloud backups, effectively giving them access to the entire contents of the target’s iPhone.

According to Access Now, this “could be a cheaper alternative to using more sophisticated and expensive iOS spyware.”

When targeting Android users, the hackers used spyware called ProSpy to impersonate popular messaging and communication apps such as Signal, WhatsApp, and Zoom, as well as two apps popular in the Middle East: ToTok and Botim.

In some cases, hackers attempted to trick victims into registering and adding new hacker-controlled devices to their Signal accounts. This technique is common among various hacking groups, including Russian spies.

A spokesperson for the Indian embassy in Washington, D.C., did not respond to a request for comment.