Hack-for-hire group caught targeting Android devices and iCloud backups

Security researchers accidental they person identified a hack-for-hire radical targeting journalists, activists, and authorities officials crossed the Middle East and North Africa. The hackers utilized phishing attacks to entree targets’ iCloud backups and messaging accounts connected Signal, and deployed Android spyware susceptible of taking implicit the targets’ devices.

This hacking run highlights a increasing inclination of authorities agencies outsourcing their hacking operations to backstage hack-for-hire companies. Some governments already trust connected commercialized companies that make spyware and exploits utilized by constabulary and quality agencies to entree information connected people’s phones.

Researchers from the integer rights enactment Access Now documented three instances of attacks implicit 2023 done 2025 against 2 Egyptian journalists, and a writer successful Lebanon whose lawsuit was besides documented by integer rights enactment SMEX. 

Mobile cybersecurity institution Lookout also investigated these attacks. The 3 organizations collaborated with each different and published abstracted reports connected Wednesday. 

According to Lookout, the attacks spell beyond members of Egyptian and Lebanese civilian society, and see targets successful the Bahraini and Egyptian governments, arsenic good arsenic targets successful the United Arab Emirates, Saudi Arabia, the United Kingdom, and perchance the United States oregon alumni of American universities. 

Lookout concluded that the hackers down this hacking run enactment for a hack-for-hire vendor that its researchers person codenamed BITTER, which the investigating cybersecurity companies fishy has ties to the Indian government.

Justin Albrecht, main researcher astatine Lookout, told TechCrunch that the institution down BITTER whitethorn beryllium called RebSec Solutions, and could beryllium an offshoot of the Indian hack-for-hire startup Appin. In 2022 and 2023, Reuters published extensive investigations into Appin and different akin India-based companies, which exposed however these companies are allegedly hired to hack institution executives, politicians, subject officials, and others. 

Appin seemingly aboriginal unopen down, but Albrecht noted that the find of this caller hacking run shows that the enactment “didn’t vanish and they conscionable moved onto smaller companies.” 

These groups and their customers get “plausible deniability since they tally each the operations and infrastructure.” And for their customers, these hack-for-hire groups are apt cheaper than purchasing commercial spyware, said Albrecht. 

RebSec could not beryllium reached for comment, arsenic the institution has deleted its societal media accounts and website. 

⁨Mohammed Al-Maskati⁩, an researcher astatine Access Now’s Digital Security Helpline who worked connected these cases, said that “these operations person go cheaper and it’s imaginable to evade responsibility, particularly since we won’t cognize who the extremity lawsuit is, and the infrastructure won’t uncover the entity down it.”

While groups similar BITTER whitethorn not person the astir precocious hacking and spy tools, their tactics tin inactive beryllium highly effective. 

In the attacks portion of this campaign, the hackers utilized respective antithetic techniques. When targeting iPhone users, the hackers tried to instrumentality targets into giving up their Apple ID credentials successful bid to past hack into their iCloud backups, which efficaciously would person fixed them entree to the afloat contented of the targets’ iPhones. 

This is “potentially a cheaper alternate to the usage of much blase and costly iOS spyware,” according to Access Now.

When targeting Android users, the hackers utilized a spyware called ProSpy, masquerading arsenic fashionable messaging and communications apps similar Signal, WhatsApp, and Zoom, arsenic good arsenic ToTok and Botim, 2 apps that are fashionable successful the Middle East. 

In immoderate cases, the hackers tried to instrumentality victims into registering and adding a caller instrumentality — controlled by the hackers — to their Signal account, a method that has been fashionable among assorted hacking groups, including Russian spies.

A spokesperson for the Indian embassy successful Washington D.C. did not instantly respond to a petition for comment.