Hack‑for‑Hire Campaign Exposed

A phone used to read messages became the doorway to the message archive too. Researchers say one hack-for-hire group used fake login pages to steal Apple account details and used Android spyware to pull data straight off devices in the same campaign. (techcrunch.com) The victims were not random. Access Now says the campaign hit Egyptian journalists and government critics, and TechCrunch reports the wider target list stretched across the Middle East and North Africa and included journalists, activists, government officials, and civil society figures. (accessnow.org) (techcrunch.com) A hack-for-hire group is exactly what it sounds like: a private company or contractor that breaks into accounts for paying clients. Google’s Threat Analysis Group drew the line in 2022 between these firms and spyware vendors by saying hack-for-hire operators run the intrusions themselves and deliver the stolen data. (blog.google) The Apple side of the operation worked like a house-key copy. SMEX says one victim in Lebanon was lured to a phishing page that captured Apple account credentials and potentially multi-factor authentication codes, then added a virtual device to the victim’s account. (smex.org) That matters because an Apple account can hold a full backup of an iPhone, not just the password to email. TechCrunch says the attackers were after iCloud backups and Signal-related data, which turns one successful phish into access to years of stored photos, chats, contacts, and app data. (techcrunch.com) The Android side used a different tool: a fake app that behaves like a wiretap hidden inside a normal icon. Lookout says the malware, which it calls ProSpy, masqueraded as Signal, ToTok, and Botim and was tied to the same phishing infrastructure uncovered in the civil society investigation. (lookout.com) Once installed, ProSpy could collect contacts, text messages, device details, and files stored on the phone. ESET said in October 2025 that ProSpy and a related family called ToSpy were being distributed through deceptive websites impersonating messaging apps and were actively exfiltrating data from Android devices in the United Arab Emirates. (eset.com) The timeline is longer than one burst of attacks. Lookout says the operation has been active since at least 2022, Access Now documented cases from 2023 through 2025, and Lookout says the earliest ProSpy samples it obtained date back to August 2024. (lookout.com) (accessnow.org) The researchers think this operation sits in a familiar ecosystem. Lookout linked it to a cluster it calls BITTER and told TechCrunch the operator may be RebSec Solutions, a possible offshoot of Appin, the India-based hacking contractor exposed in Reuters investigations in 2022 and 2023. (lookout.com) (techcrunch.com) What changed in this case is the combination. Instead of choosing between breaking into the phone or breaking into the cloud backup, the attackers used both paths at once, which gives them live surveillance from the handset and historical data from the account archive. (techcrunch.com) (lookout.com) That is a hard problem for organizations that treat phones as just smaller laptops. A mobile device management dashboard can miss a stolen cloud account, and a strong cloud login can still fail if a target installs a fake messaging app sent through a trusted chat. (blog.google) (lookout.com)