Hack-for-hire hits mobile and iCloud targets

A phone is now two targets at once: the device in your hand and the backup sitting in the cloud. Researchers told TechCrunch a hack-for-hire group went after both by planting Android spyware on phones and stealing Apple iCloud logins through phishing pages. (techcrunch.com) The victims were not random. TechCrunch reported that the campaign targeted journalists, activists, and government officials across the Middle East and North Africa, which is the kind of list you see when an operation is built for surveillance, not mass fraud. (techcrunch.com) Hack-for-hire means a private company or contractor does the break-in work for a client, usually a government agency or another powerful customer. Google’s Threat Analysis Group said in a 2024 report that it tracks multiple commercial surveillance vendors and has documented how this industry sells spyware and exploit services to state customers. (blog.google) The Android side is the old-fashioned part of the story: get malicious software onto the phone, then let it read messages, track activity, and take over the device. TechCrunch said the malware in this campaign could fully compromise Android phones, while the same operators also tried to get into Signal accounts and Apple backups. (techcrunch.com) The iCloud side is simpler and often cheaper. Instead of breaking Apple’s encryption, attackers trick the person into typing an Apple Account password and one-time code into a fake sign-in page, which can hand over photos, messages, contacts, and device backups tied to that account. (support.apple.com 1) (support.apple.com 2) That works because a cloud backup is like a house key hidden under the mat: the phone may be locked down, but the backup can still hold years of data in one place. Apple says an Apple Account controls access to iCloud services including photos, contacts, payment information, and device backups, so one stolen account can expose far more than one stolen handset. (support.apple.com) This is also why mobile security keeps frustrating companies. A laptop usually sits behind layers of corporate monitoring, but a phone mixes work chat, personal text messages, cloud logins, and authentication codes on one small screen where fake links are easier to miss. (techcrunch.com) (blog.google) Google has warned before that commercial spyware vendors do not need magical tools every time. Its researchers said these firms regularly combine rare zero-day flaws with older known bugs and routine social engineering, which is security language for tricking people into opening the door themselves. (blog.google 1) (blog.google 2) Apple’s own guidance shows the weak point clearly. The company tells users who think an Apple Account was compromised to check for unknown trusted devices, remove anything unfamiliar, and make sure two-factor authentication is enabled, because once an attacker gets account access, the cleanup is about evicting them from every connected service. (support.apple.com 1) (support.apple.com 2) The uncomfortable part of this story is that nothing here sounds exotic in 2026. One side used Android spyware, the other side used fake login pages, and together they still reached some of the most sensitive targets in the region because the phone and the backup remain the easiest flank to hit. (techcrunch.com) (blog.google)