Security and privacy risks stayed front-page

A phone can be hacked in two steps now: first the device, then the cloud account that quietly stores years of messages, photos, and backups. Researchers said a hack-for-hire group did exactly that, using Android spyware and fake login pages to steal Apple iCloud credentials from targets in the Middle East and North Africa. (techcrunch.com) The targets were not random. TechCrunch reported that the campaign hit journalists, activists, and government officials, and Access Now documented three cases from 2023 to 2025 involving two Egyptian journalists and one Lebanese journalist. (techcrunch.com) The trick worked because a smartphone is really two vaults at once. One vault is the handset in your pocket, and the other is the backup account online, so stealing an iCloud password can expose data even if the attacker never touches an iPhone. (techcrunch.com) Lookout, the mobile security company that investigated the campaign, said the attackers also targeted Signal accounts and used Android spyware that could take over a victim’s device. That turns a phone from a personal tool into a remote microphone, camera, and message archive for whoever planted the software. (techcrunch.com) Lookout gave the operation the codename BITTER and told TechCrunch it suspects ties to India, with a possible link to a company called RebSec Solutions. TechCrunch connected that finding to earlier Reuters investigations from 2022 and 2023 into India-based hack-for-hire firms such as Appin that were allegedly hired to target executives, politicians, and military officials. (techcrunch.com) At the same time, a very different privacy story is back in front of ordinary Android users: the website for Google’s $135 million settlement is now live. CNET reported on April 7 that the case covers claims that Android devices sent cellular data to Google without user permission, including while the phones were idle. (cnet.com) Google did not admit wrongdoing, but CNET said the settlement would cover about 100 million United States Android users and could pay up to $100 per person, depending on how many people qualify and how the fund is divided. The final approval hearing is scheduled for June 23, 2026, and objections or exclusions are due by May 29, 2026. (cnet.com) The proposed changes matter more than the payout. CNET reported that Google will revise Google Play terms to spell out that some data transfers happen passively, ask for consent during device setup, and fully stop collecting data when the “allow background data usage” setting is turned off. (cnet.com) Put those two stories together and you get the modern privacy map. One risk is a hostile actor breaking into the device and cloud account; the other is a platform collecting data in the background under rules most people never read. (techcrunch.com) (cnet.com) That is why companies are starting to treat phones less like simple employee hardware and more like identity hubs. If a worker’s Android device can unlock Signal, iCloud backups, and corporate accounts, then mobile security, cloud backup settings, and vendor data-collection terms all sit in the same risk file now. (techcrunch.com) (cnet.com)