Security researchers uncovered a hack-for-hire operation that deployed Android spyware and phishing attacks to steal iCloud credentials and compromise devices. The campaign, detailed in a report published on Tuesday, targeted both Android users and those with iCloud backups linked to Apple devices.
The group used custom spyware disguised as legitimate apps to infiltrate Android devices. Once installed, the malware collected sensitive data including messages, call logs, and location information. For iCloud targets, the attackers relied on phishing emails that mimicked Apple’s security alerts, tricking users into entering their login details on fake login pages.
Researchers from ThreatFabric and Zimperium identified the operation after analyzing samples collected in late 2025. Their findings show the spyware was active for at least six months, with victims in Europe and Southeast Asia. The attackers used command-and-control servers based in Eastern Europe to exfiltrate stolen data.
Apple responded by revoking the certificates used to sign the malicious apps and updating its phishing detection systems. Google also removed related apps from the Play Store. The company behind the campaign remains unidentified, but evidence points to a commercial surveillance vendor with ties to known mercenary spyware groups.
This case follows a 2024 report by Citizen Lab that exposed similar hack-for-hire operations targeting journalists and activists. It highlights the growing threat of commercial spyware being used against civilians.
Source: techcrunch.com