Hack-for-hire group has been caught targeting Android devices with iCloud backups

Security investigators say they have discovered a group targeting journalists, activists and government officials in the Middle East and North Africa. Hackers used phishing attacks to access iCloud backups and messaging accounts on Signal, and installed Android spyware that could hijack the devices they targeted.

This hacking campaign shows how more and more government agencies are selling their hacking services to the private companies that employ them. Some governments already rely on commercial companies that develop spying software used by police and intelligence agencies to access data on people’s phones.

Researchers from the digital rights organization Access Now wrote three attack scenarios in 2023 through 2025 against two Egyptian journalists, as well as a journalist in Lebanon whose case was also. documents and digital rights organization SMEX.

Cybersecurity company Lookout he also researched these shows. The three agencies agreed with each other and published separate reports on Wednesday.

According to Lookout, these threats extend to the people of Egypt and Lebanon, as well as targets the governments of Bahrain and Egypt, as well as targets in the United Arab Emirates, Saudi Arabia, the United Kingdom, and possibly the United States or alumni of American universities.

Lookout has confirmed that the attackers of the campaign work for a freelancer that its investigators identified as BITTER, which it is investigating. cybersecurity companies the suspect has ties to the Indian government.

Justin Albrecht, senior researcher at Lookout, told TechCrunch that the company behind BITTER could be named. RebSec Solutionsand it could be an offshoot of the Indian hack-for-hire startup Appin. In 2022 and 2023, Reuters published more search in Appin and other similar Indian companies, which revealed how these companies are recruited to extort corporate executives, politicians, military officials, and others.

It seems that Appin has closed, but Albrecht said that the presence of this new campaign shows that the project “is not finished and has only moved to smaller companies.”

These groups and their clients get “suspicious because they manage all the work and infrastructure.” And for their customers, these rental groups are cheaper than buying commercial spy softwaresaid Albrecht.

RebSec could not be reached for comment, as the company has removed its social media accounts and website.

Mohammed Al-Maskati, researcher at Access Now’s Digital Security Helpline who has worked on these cases, said “these services are cheap and it is possible to escape responsibility, especially since we do not know who the client is, and the infrastructure does not reveal what caused it.”

While groups like BITTER may not have the most advanced hacking and spying equipment, their methods can be very effective.

In the threat phase of this campaign, hackers used a number of different tactics. Targeting iPhone users, hackers tried to trick targets into giving out their Apple ID information in order to hack into their iCloud backups, which would have given them access to all the iPhones they wanted.

This is “an inexpensive way to use the most advanced iOS spy software,” according to Access Now.

Targeting Android users, the hackers used spying software called ProSpy, appearing as popular messaging and messaging apps like Signal, WhatsApp, and Zoom, as well as ToTok and Botim, two apps known in the Middle East.

In some cases, hackers tried to trick victims into signing up and adding a new device – controlled by hackers – to their Signal account, a technique that has become popular among various hacker groups, including Russian spies.

A spokesperson for the Indian embassy in Washington DC did not immediately respond to a request for comment.