Hack-for-hire groups now exploit Android spyware and iCloud gaps

The hack-for-hire industry just got more brazen. Researchers at Citizen Lab and Google’s TAG team uncovered a coordinated operation using commercially available Android spyware—not custom zero-days—to infiltrate devices while simultaneously phishing iCloud credentials. The attackers didn’t need cutting-edge exploits; they chained off-the-shelf tools with social engineering, exposing how far mercenary groups have professionalized.

The Android malware, disguised as legitimate apps, slipped past Google Play Protect by abusing accessibility permissions to siphon messages, contacts, and location data. Meanwhile, victims received convincing iCloud phishing links—often via SMS or compromised emails—that mimicked Apple’s password reset flow. Once inside, attackers pulled full backups, effectively owning the device without ever touching it.

This isn’t a nation-state campaign with unlimited resources. It’s a for-profit service selling access to journalists, executives, and activists, according to TechCrunch’s reporting. The tools are cheap enough for mid-tier criminals but sophisticated enough to evade detection for months. That’s the real shift: spyware-as-a-service now rivals APT groups in effectiveness.

For users, the workflow disruption is immediate. Android’s fragmented security model—where manufacturers and carriers delay patches—means even updated devices remain vulnerable to permission-based attacks. Apple’s iCloud backups, while encrypted in transit, become a single point of failure if credentials are stolen. The Electronic Frontier Foundation notes that two-factor authentication (2FA) via SMS is now effectively useless against these phishing kits.

The industry’s response reveals the gaps. Google’s new malware policies target spyware apps, but enforcement lags behind obfuscation techniques. Apple’s Advanced Data Protection for iCloud—end-to-end encryption—remains opt-in, leaving most users exposed by default. Meanwhile, mercenary groups like this one operate in legal gray zones, selling to the highest bidder while avoiding direct attribution.

The bigger problem? This isn’t an outlier. Lookout Security tracks dozens of similar groups offering cross-platform surveillance packages. The barrier to entry for high-impact hacking has never been lower—just a credit card and a target list. Regulators are still debating how to classify these services, let alone stop them.