Hack-for-hire group caught targeting Android devices and iCloud backups

Security researchers say they have identified a hack-for-hire group targeting journalists, activists and government officials across the Middle East and North Africa. Hackers used phishing attacks to gain access to targets’ iCloud backups and Signal messaging accounts, and developed Android spyware capable of taking over targets’ devices.

This hacking campaign highlights a growing trend of government agencies outsourcing their operations to private hack-for-hire companies. Some governments already rely on commercial companies that develop spyware and exploits used by police and intelligence agencies to access data from people’s phones.

Researchers from digital rights organization Access Now documented three cases of assault from 2023 to 2025 against two Egyptian journalists and a journalist in Lebanon whose case was also documented by digital rights organization SMEX.

Mobile cybersecurity company Lookout also investigated these attacks. The three organizations cooperated with each other and released separate reports on Wednesday.

According to Lookout, the attacks go beyond members of civil society in Egypt and Lebanon and include targets in the governments of Bahrain and Egypt, as well as targets in the United Arab Emirates, Saudi Arabia, the United Kingdom and possibly the United States or graduates of American universities.

Lookout has concluded that the hackers behind this hacking campaign work for a hack-for-hire vendor that researchers have codenamed BITTER, which the investigation cyber security companies suspect has ties to the Indian government.

Justin Albrecht, principal researcher at Lookout, told TechCrunch that the company behind BITTER may be named RebSec Solutionsand could be an offshoot of Indian hack-for-hire startup Appin. In 2022 and 2023, Reuters published extensive investigations to Appin and other similar India-based companies, which revealed how these companies are allegedly being hired to hack corporate executives, politicians, military officials and others.

Appin was apparently later shut down, but Albrecht noted that the discovery of this new hacking campaign shows that the activity “didn’t go away and they just moved to smaller companies.”

These teams and their customers have “reasonable denial, since they manage all operations and infrastructure.” And for their customers, these hack-for-hire teams are probably cheaper than buying commercial spyware, Albrecht said.

RebSec could not be reached for comment as the company has deleted its social media accounts and website.

Mohammed Al-Maskati, a researcher at Access Now’s Digital Security Helpline who worked on these cases, said “these operations have become cheaper and it is possible to avoid liability, especially because we won’t know who the end customer is and the infrastructure won’t reveal the entity behind it.”

While groups like BITTER may not have the most advanced hacking and spying tools, their tactics can be very effective.

In the attack part of this campaign, the hackers used many different techniques. When targeting iPhone users, hackers tried to trick the targets into giving up their Apple ID credentials to then hack into their iCloud backups, which would essentially give them access to the full contents of the targets’ iPhones.

This is “potentially a cheaper alternative to using more sophisticated and expensive iOS hacking software,” according to Access Now.

When targeting Android users, the hackers used a spyware called ProSpy disguised as popular messaging and communication apps like Signal, WhatsApp and Zoom, as well as ToTok and Botim, two apps popular in the Middle East.

In some cases, hackers tried to trick victims into signing up and adding a new device — controlled by the hackers — to their Signal account, a technique popular with various hacking groups, including Russian spies.

A spokesman for the Indian embassy in Washington did not immediately respond to a request for comment.