Hack‑for‑hire campaign exposed

A phone hack does not always start with a zero-day flaw or a million-dollar exploit. In the campaign researchers just exposed, one path was much simpler: trick an Android user into installing a fake app, or trick an iPhone user into typing Apple account credentials into a phishing page. (lookout.com) (techcrunch.com) The targets were not random. Access Now says the victims included Egyptian journalist Mostafa Al-A’sar, Egyptian opposition figure Ahmed Eltantawy, and a Lebanese journalist, with activity tied to campaigns in 2023, 2024, and 2025 across the Middle East and North Africa. (accessnow.org) (lookout.com) The Android side worked like a fake house key. Researchers say the spyware, called ProSpy, was dressed up as trusted apps including Signal, ToTok, and Botim, so a target would install it thinking it was a secure messenger or an update. (lookout.com) (eset.com) Once installed, ProSpy could pull out the phone’s contacts, text messages, device details, and files stored on the device. Lookout says it obtained 11 ProSpy samples, and the earliest samples it saw date back to August 2024. (lookout.com) The iPhone side did not need iPhone malware at all. Access Now says the phishing pages aimed to steal Apple, Microsoft, and Google credentials, and the Apple account was especially valuable because an iCloud backup can contain app data, device settings, and data from many messaging and social apps. (accessnow.org) (support.apple.com) That is the cross-platform trick at the center of this case. An attacker can watch one person through an Android implant and, in the same campaign, raid another person’s iPhone life by stealing the cloud account that stores the backup. (techcrunch.com) (support.apple.com) Researchers also say the group tried to hijack Signal accounts by registering attacker-controlled devices to victims’ accounts. Signal’s linked-device system normally requires the victim’s phone to scan a quick response code, so the phishing step was likely used to get the access needed to complete that handoff. (techcrunch.com) (support.signal.org) Lookout says the operation has been active since at least 2022 and is still running in 2026. The company assessed it as a likely hack-for-hire campaign with ties to BITTER, a long-tracked threat group also known as T-Advanced Persistent Threat-17. (lookout.com) (accessnow.org) That “for hire” label changes the picture. Instead of one government building every tool itself, private operators can supply phishing pages, spyware, and targeting infrastructure the way a contractor supplies equipment on a job site. (lookout.com) (blog.google) The old lesson still holds: the weakest point is often the login screen, not the operating system. A fake Android app can bypass caution by looking familiar, and a stolen Apple account password can open years of cloud-stored history without touching the phone in your hand. (eset.com) (support.apple.com) This is why mobile attacks keep showing up in investigations of journalists, activists, and officials. Phones carry messages, photos, location trails, contact lists, and account recovery codes, and this campaign shows an attacker does not need one perfect exploit when simple phishing and fake apps can still get the job done. (accessnow.org) (lookout.com)