Hackers are targeting Android and iCloud backups in 2026

Hackers-for-hire are targeting Android devices and iCloud backups with cheap, effective hacking tactics that can still do real damage. If you use Android, iPhone, Signal, WhatsApp, or cloud backups, this matters to you. Recent research from Access Now, Lookout, and SMEX says these hacks targeted journalists, activists, and officials across the Middle East and North Africa between 2023 and 2025. The bigger point is simple: the same playbook can be reused anywhere.

This is not just a story about elite spyware. In several cases, attackers used phishing, fake app installs, and account-linking tricks instead of expensive zero-click hacks. That makes the threat easier to run and harder to trace.

What researchers found

The campaign was documented by Access Now, Lookout, and SMEX. Researchers tied the activity to a hack-for-hire operation that appears to have targeted:

  • Two Egyptian journalists
  • One Lebanese journalist
  • Civil society targets in Egypt and Lebanon
  • Possible government-related targets in Bahrain and Egypt
  • Additional targets in the UAE, Saudi Arabia, the UK, and possibly the US

According to the reports, the attacks happened from 2023 to 2025. Researchers said the operators used a mix of phishing, Android spyware, and account compromise methods focused on cloud data and messaging access.

A detail that stands out to me: attackers did not always need the most advanced tools. They used practical methods that many people still fall for.

How the hacks targeting Android and iCloud backups worked

The campaign used two main paths.

1. Apple ID phishing to access iCloud backups

Attackers tried to steal Apple ID credentials through phishing. If they got those credentials, they could log in and access iCloud backups.

Why that matters:

  • iCloud backups can contain a large amount of personal data
  • A backup may reveal messages, app data, photos, contacts, and device details
  • Attackers may not need to fully break into the iPhone itself if they can get the backup

This is one reason iCloud backups are such an attractive target. Your backup can become a copy of your digital life.

2. Android spyware disguised as trusted apps

For Android targets, researchers said the group used spyware known as ProSpy. The malware was disguised as apps people already trust, including:

  • Signal n- WhatsApp
  • Zoom
  • ToTok
  • Botim

Once installed, the spyware could take over the device and collect data.

That fake-app trick still works because people act fast when they think a friend, colleague, or source sent them an urgent link.

3. Signal account tricks

In some attacks, the hackers tried to get victims to register and link a new device to their Signal account. That new device was controlled by the attackers.

If that works, the victim may keep using Signal without realizing someone else is reading along.

Why hire hackers instead of using commercial spyware?

The reports point to a growing business model: governments or clients outsource hacking to private firms.

Researchers say this setup offers two big benefits to buyers:

  • Plausible deniability
  • Lower cost than high-end commercial spyware

Lookout suggested the operators may be connected to a hack-for-hire vendor with links to BITTER APT, a group some cybersecurity firms suspect has ties to the Indian government. Researcher Justin Albrecht also said the activity may connect to smaller firms that emerged after the shutdown of Appin, an Indian startup long linked in public reporting to this sector.

One suspected company named in reporting was RebSec. The article says the company could not be reached for comment and had deleted its website and social media accounts.

The key takeaway for you is not just who did it. It is how easy this market has become. Hacking for hire can be cheaper, outsourced, and built to hide the real customer.

Why journalists, activists, and officials were targeted

These victims often hold sensitive information:

  • Source communications
  • Investigation notes
  • Travel details
  • Private contact lists
  • Policy discussions
  • Family and personal records

If you work with sensitive contacts, your backups and messaging accounts are not just your problem. They can expose everyone around you.

That is why even a simple phishing page can have big real-world consequences.

Why iCloud backups are a high-value target

People sometimes think cloud backups are boring technical stuff. They are not. Backups are often the easiest way for an attacker to collect a lot of information at once.

A compromised backup may include:

  • Photos and videos
  • Contacts
  • Notes
  • Device settings
  • App data
  • Message-related data depending on app and settings

If you rely on backups, keep using them. Do not stop backing up out of fear. Instead, secure the account that protects the backup.

How to protect your Android phone and iCloud backups

You do not need to be a journalist in a high-risk country to learn from this. These steps help almost everyone.

Protect your Apple ID and iCloud

  • Use a strong, unique password for your Apple ID
  • Turn on multi-factor authentication
  • Never enter your Apple ID after clicking a link in email or chat
  • Go directly to Apple through the app or official website
  • Review trusted devices and remove any you do not recognize
  • Watch for login alerts and password reset prompts you did not request

Protect your Android device

  • Install apps only from trusted stores and verified publishers
  • Be suspicious of APK files shared in chats, email, or social posts
  • Update Android and apps quickly
  • Use Google Play Protect and built-in security checks
  • Set a strong screen lock
  • Review app permissions and remove apps you do not fully trust

Protect Signal and other messaging apps

  • Be careful with prompts to link new devices
  • Verify unexpected requests with the sender through another channel
  • Check linked devices regularly
  • Turn on registration lock or similar account protections when available

Reduce damage if something goes wrong

CISA recommends a few basics that still matter a lot:

  • Encrypt your devices
  • Back up your data securely
  • Keep external backups disconnected when not in use
  • Store recovery keys safely
  • Use software updates to cut malware risk
  • Stay alert to phishing

If your phone holds sensitive work, consider separating that work from your personal device.

Red flags that should make you stop immediately

Watch for these warning signs:

  • A message tells you to urgently re-login to iCloud, Signal, or WhatsApp
  • Someone asks you to install a new secure chat app from a direct link
  • A familiar app name appears, but the download source looks strange
  • You get a request to scan a code or link a new device you did not expect
  • An account alert appears for a login, password reset, or device registration you did not initiate

When in doubt, slow down. Attackers count on speed and stress.

What this means for everyday users

You may not be the main target, but the tactics used here are not rare. That is the part worth paying attention to.

These hacks targeting Android and iCloud backups show that attackers do not always need a flashy exploit. Sometimes all they need is:

  • A believable phishing page
  • A fake app
  • A rushed target
  • Weak account security

That combination is enough to cause serious loss of privacy.

FAQ: What you need to know about hacks targeting Android and iCloud backups

What is a hack-for-hire group?

A hack-for-hire group is a private company or operator paid to run cyberattacks for a client. That client may be a government, business, or another organization that wants information or access.

How are hackers targeting iCloud backups?

Researchers say attackers used phishing to steal Apple ID credentials. Once they had those credentials, they could access iCloud backups and collect sensitive data stored there.

How are hackers targeting Android phones?

In this campaign, attackers used Android spyware called ProSpy. It was disguised as common apps such as Signal, WhatsApp, Zoom, ToTok, and Botim. Once installed, it could take control of the device.

Can Signal accounts be hacked without breaking Signal itself?

Yes. Attackers may not need to crack Signal encryption. They can trick you into linking a device they control to your account or steal access through phishing and social engineering.

Who was targeted in this campaign?

Documented victims included journalists in Egypt and Lebanon. Researchers also reported possible targets in Bahrain, Egypt, the UAE, Saudi Arabia, the UK, and potentially the US.

Why are iCloud backups so valuable to hackers?

Backups can contain large amounts of personal and work-related data in one place. If attackers get backup access, they may learn far more than they would from a single message or photo.

Is this only a risk for activists and journalists?

No. Those groups may face higher risk, but the methods used here can be used against business users, students, executives, and everyday people.

What should you do first to protect yourself?

Start with the basics: turn on multi-factor authentication, use unique passwords, update your phone, avoid app installs from unknown links, and review your linked devices and account activity.

Final thoughts

The biggest lesson from this story is simple. Expensive spyware is not the only problem anymore. Hire hackers targeted real people using cheaper tricks that still worked.

If you use Android, iCloud backups, or secure messaging apps, take ten minutes today and check your accounts, your apps, and your linked devices. That small step could save you from a very big mess.