Mobile spyware plus iCloud theft

The trick was not one magic bug. Researchers say the attackers mixed fake login pages, fake chat apps, and cloud account theft to break into targets across the Middle East and North Africa. (techcrunch.com) A phishing page is a counterfeit sign-in screen that looks real enough to make you hand over your keys. Access Now says this campaign used spear-phishing against Apple, Microsoft, and Google accounts in 2023 and 2024, including against Egyptian journalist Mostafa Al-A’sar and opposition figure Ahmed Eltantawy. (accessnow.org) An Android implant is a booby-trapped app that sits on the phone and quietly copies what is on it. Lookout says the malware in this case, which it calls ProSpy, could pull contacts, text messages, device details, and local files from infected Android phones. (lookout.com) The attackers did not hide the bait inside the official Google Play store. ESET found ProSpy and a related spyware family called ToSpy spread through deceptive websites that pretended to offer Signal upgrades, ToTok downloads, or even a Samsung Galaxy Store page. (eset.com) One Lebanese journalist was hit through Apple Messages on May 19, 2025, then through WhatsApp on May 21 and May 22. SMEX says the goal in all three attempts was the same: steal the target’s main Apple account and attach a virtual device to it. (smex.org) That virtual device mattered because it let the attackers ride along inside the account after the victim typed in the password. SMEX says one captured attack stole the username, password, and two-factor authentication code, and completed the takeover in about 30 seconds. (smex.org) Once an Apple account falls, the prize is not just email. TechCrunch reports the attackers used stolen credentials to reach iCloud backups and Signal messaging data, which can reveal years of chats, photos, contacts, and account history in one place. (techcrunch.com) Lookout says the larger operation has been active since at least 2022 and relied on fake social media personas and long-running conversations, not smash-and-grab spam. That matters because the attack chain starts in inboxes and chat threads long before malware ever lands on a phone. (lookout.com) The researchers do not describe this as a random criminal spray. Access Now says the victims were civil society figures in the region, while Lookout assesses the activity is most likely a hack-for-hire operation tied to BITTER, also known as Advanced Persistent Threat 17, a South Asia-linked espionage actor. (accessnow.org) (lookout.com) The lesson from this case is almost old-fashioned: you do not need a million-dollar zero-click exploit if a fake login page gets the password and a fake app gets installed by hand. This campaign worked by chaining together the phone, the cloud account, and the messages around them until one target became three compromises at once. (lookout.com) (techcrunch.com)