Hack‑for‑hire phishing targets mobile

A hack-for-hire group used fake login pages and tailored messages to target iPhone and Android users, stealing cloud backups, chat access, and device control. (accessnow.org) Access Now said on April 8, 2026 that it documented three attacks from 2023 through 2025 against two Egyptian journalists and one Lebanese journalist. TechCrunch reported the targets also included activists and government officials across the Middle East and North Africa. (accessnow.org) (techcrunch.com) The attackers mixed spear phishing, which is a fake message built for one person, with Android spyware and Apple account theft. TechCrunch said the campaign was used to reach iCloud backups, Signal accounts, and Android phones. (accessnow.org) (techcrunch.com) Access Now named two of the targets as Mostafa Al-A’sar and Ahmed Eltantawy, both Egyptian government critics. The group also worked with SMEX on a 2025 case involving a Lebanese journalist whose identity was withheld. (accessnow.org) (smex.org) Lookout said the infrastructure and forensic evidence point to a hack-for-hire organization with ties to Asia. TechCrunch reported Lookout linked the operation to a vendor connected to Bitter, a long-running espionage group that security firms suspect has ties to the Indian government. (accessnow.org) (techcrunch.com) That finding fits a wider market for mercenary hacking, where private firms sell intrusion services to clients who want distance from the operation. Reuters reported in 2023 that Appin, an Indian cybersecurity training company, grew into a hack-for-hire business that targeted executives, politicians, military officers, and wealthy clients’ rivals; lawyers for Appin-linked figures have denied wrongdoing. (realclearinvestigations.com) (techcrunch.com) Phones remain a favored entry point because the attack often starts with a text, chat, or email that asks for one tap and one password. Lookout said it saw more than 1 million mobile phishing and social engineering attacks on enterprise users in the first quarter of 2025, and said every enterprise organization it protected was targeted. (lookout.com) The Committee to Protect Journalists said on April 8 that the recent cases sought access to Apple, Microsoft, and Google accounts used by Egyptian and Lebanese journalists. The group said the same actor may be behind all three cases because investigators found shared impersonation tactics, technical fingerprints, and attack infrastructure. (cpj.org) The campaign shows that mobile intrusions do not always begin with rare software flaws or expensive zero-click tools. In these cases, researchers said ordinary account phishing and phone-based social engineering were enough to open the door. (accessnow.org) (lookout.com)