Hack‑for‑hire campaign targeted iCloud backups

The attackers did not need to break Apple’s or Google’s core phone security to get in. Researchers say they tricked targets into handing over account credentials, then used those cloud accounts and backups to reach data that lived beyond any one device. (techcrunch.com) The victims were not random people. The campaign hit journalists, activists, and government officials across the Middle East and North Africa, and the intrusions ran between 2023 and 2025, according to reporting based on findings from Lookout, Access Now, and SMEX. (techcrunch.com) A cloud backup is a spare copy of your phone stored on someone else’s servers, like keeping a second house key in a lockbox. If an attacker gets the lockbox code, they may not need the phone in their hand to learn a lot about the person using it. (support.apple.com) That is why iCloud mattered in this case even though the spyware ran on Android phones. TechCrunch reported that the group used phishing to steal Apple account credentials, then went after iCloud backups and Signal accounts tied to the same targets. (techcrunch.com) Phishing is the oldest trick in this business: a fake login page, a fake alert, or a fake message that gets you to type your password into the wrong box. Once the attackers had those credentials, the strongest screen lock on the phone no longer solved the whole problem. (techcrunch.com) Apple’s default setup already encrypts iCloud data, but Apple says it keeps some of the keys in its data centers so it can help with recovery, and only certain categories are end-to-end encrypted by default. That recovery design is convenient for users, but it also means the account itself becomes a prize. (support.apple.com) Apple’s optional Advanced Data Protection changes that model for many categories, including iCloud Backup, by raising the number of end-to-end encrypted categories from 14 to 23. In plain English, that means your trusted devices keep the keys, not Apple’s servers. (support.apple.com) The Android side of the operation used spyware, which is software that quietly turns a phone into a wiretap. TechCrunch reported that the malware could take over victims’ devices after the initial phishing and account attacks opened the door. (techcrunch.com) Google has spent the last two years adding more theft and app-scanning defenses to Android, including Google Play Protect and newer theft protection features. Those tools help against bad apps and stolen phones, but they do not stop someone from voluntarily typing a password into a convincing fake login page. (support.google.com) (security.googleblog.com) The pattern here is what security teams worry about most now: attackers are skipping the front door and going after the password reset link, the backup copy, and the recovery contact. A phone can be well-defended on its own and still be exposed if the account wrapped around it is easier to hijack. (support.apple.com) (techcrunch.com) For anyone trying to reduce that risk, the boring steps are the important ones: turn on Advanced Data Protection if it is available in your region, keep Google Play Protect on, and treat any login link sent over message or email as suspicious until you open the service yourself. Those steps do not make you invisible, but they remove the exact shortcuts this campaign appears to have used. (support.apple.com) (support.google.com)