Samsung’s ‘Aura’: Israeli Spyware in Your Pocket

If you own a Samsung A or M series phone and live in the Middle East or North Africa, you are likely being monitored, with data collected through your device by the South Korean tech giant on behalf of “Israel.”

This follows revelations that Samsung allowed the installation of a covert application developed by an Israeli company, IronSource, which harvests personal data, posing significant risks, especially if you are a potential target of Israeli surveillance.

The latest disclosure comes in the wake of the pager explosion in Lebanon, and now, attention has turned to Samsung phones, used by millions of Arab consumers, which have been found to contain Israeli software that leaks sensitive information.

Samsung entered into an agreement with IronSource, an Israeli firm, to pre-install this hidden app on Samsung phones sold exclusively in the Arab world (the MENA region), without the knowledge of the device owners.

This controversial partnership raises serious concerns about possible espionage or cyberattacks, with experts warning that the software could compromise the security of these devices. 

The spyware could allow future attacks targeting communication networks or disrupt critical infrastructure in the region.

Adding to the alarm, tech specialists have highlighted that the Israeli app is particularly difficult to remove; once deleted, it reinstalls itself automatically, making it nearly impossible for users to protect their privacy.

This marks the fourth revelation of Israeli espionage tactics being used against Lebanese and Arabs, following the discovery of bombs in Pager devices, the infiltration of Walkie-Talkie communication systems used by Hezbollah, and the jamming of aviation navigation systems and GPS devices.

Spyware Deal

The Lebanese digital rights platform, Social Media Exchange (SMEX), which advocates for human rights in digital spaces across West Asia and North Africa, was the first to reveal that Samsung had signed a partnership agreement with the Israeli company IronSource back in 2022.

The deal allows IronSource to pre-install its AppCloud application on Samsung’s A and M series phones before they reach consumers.

On October 29, 2024, SMEX disclosed that the South Korean tech giant, Samsung, and the Israeli firm IronSource had agreed to load this app onto phones sold in the Middle East and Africa, including Lebanon.

The app, according to SMEX, provides access to personal information from the phone's owner, as well as other sensitive data.

The AppCloud application, in turn, installs another program called Aura, which secretly downloads additional software without the user’s knowledge, particularly affecting devices distributed in Lebanon and across the Arab region.

The app in question allows access to users' data, including sensitive information such as IP addresses, device fingerprints, and personal details, enabling the identification and geographical location of the phone’s owner — potentially facilitating surveillance or even targeting for assassination.

This could also help explain the mystery behind Israeli ability to easily track and target Hezbollah figures across Lebanon, Syria, and other regions, even after the dismantling of explosive pager devices. 

It underscores the urgent need for the Middle East to develop independent communication systems.

A report by SMEX highlights the alarming reality that the Israeli app can be installed on Samsung phones without the owner's knowledge, with removal proving nearly impossible due to the complex technical hurdles involved. 

Even those who manage to disable the app find it reappears automatically, confirming its nature as high-tech spyware.

The app in question, AppCloud, which has been surreptitiously embedded in Samsung devices for over a year, was first flagged by a user in an August 2023 post on the company’s support forum, titled "How can I remove AppCloud?" 

Spyware installation raises concerns that the app has been silently present in phones long before Operation al-Aqsa Flood and the ongoing war.

Data Harvesting or Assassination?

The Israeli war on Lebanon has brought renewed focus on the issue of espionage and electronic interference, with the bombing of pager devices used by thousands of Lebanese citizens, marking yet another chapter in the ongoing conflict.

This raises critical questions: Is the installation of spyware on Samsung devices aimed at collecting data, or is it a more sinister effort, akin to the Pager incident, to facilitate targeted killings?

Abed Kataya, media program director at the Lebanese digital rights platform SMEX, confirmed that “the Israeli application is often pre-installed on [Samsung] devices,” before purchase, and updates occur without the user’s consent. 

Kataya explained that this practice extends to over 50 markets in the Middle East and North Africa, indicating that the data harvesting operation is not limited to Lebanon alone.

The AppCloud app installs another program called Aura, which prompts users to download additional apps, all of which contribute to collecting personal data, including device information and biometric identifiers like fingerprints. 

Data harvesting makes it easier to track and identify the device's owner.

Perhaps most concerning, says Kataya, is that the app’s activities cannot be stopped or any permissions it requests are denied. 

While AppCloud claims to uphold privacy policies by allowing users to opt out of data collection, in practice, trying to delete it from the device reveals an impossible-to-find form that must be completed. 

Deleting the app, according to Kataya, requires technical expertise well beyond the average user’s capacity.

Kataya explained that users can access their device settings, navigate to the Apps section, search for the AppCloud app, and press the disable button. 

However, they may still be unable to completely remove the app from the device, even after disabling it.

The app may seem disabled on the surface but continues to run covertly in the background.

Kataya argues that Samsung's partnership with the Israeli company IronSource—a deal restricted to regions marked by geopolitical tensions and instability—suggests the South Korean giant may have knowingly or unknowingly facilitated Israeli espionage against Arabs.

The exposure of this spyware raises critical questions about how “Israel” could exploit the collaboration between Samsung and IronSource to carry out cyberattacks, or perhaps, these attacks have already occurred—similar to the Pager incident—in what are known as supply chain attacks. 

These attacks typically involve infiltrating trusted systems, such as widely used devices and software, to gather intelligence or implant surveillance tools.

As reported by Al-Estiklal, the Israeli military has consistently sought technological advantages, preparing for future conflicts in Lebanon and the wider region through proactive cyber and technological advancements. 

The partnership with IronSource allowed “Israel” to collect valuable intelligence on Lebanese citizens long before the current conflict erupted, including gaining access to communication devices used by Hezbollah operatives.

The Israeli use of the AppCloud app to target Samsung’s A and M series phones—models marketed primarily to middle and lower-income populations—was likely strategic. 

Their lower price point made these devices more accessible, thus facilitating the spread of spyware and widening the scope of data collection.

Could “Israel” resort to detonating devices that have been infected with malicious software, especially given that these phones are connected to the internet, unlike the pagers and walkie-talkies?

A tech expert ruled out the possibility of “Israel” resorting to a mass detonation of mobile phones carrying this app or similar software in the Arab region. 

The expert cited economic concerns, noting the potential fallout on international trade should such an action occur, as well as Israeli commercial ties with global companies, including its American allies.

He argues that if “Israel” were to somehow detonate Samsung, Huawei, or iPhone devices, it would trigger a global trade crisis that could destabilize the smartphone industry, one that neither the United States, China, nor South Korea could afford to tolerate.

There are other intelligence-related reasons as well: the purpose of implanting spyware and surveillance programs is to gather information, and detonating the phones would deprive the Israeli Occupation of a crucial communication tool, one that allows it to infiltrate and eavesdrop on its targets.

Companies supporting Israeli Occupation

The infiltration of Israeli spyware into global tech products raises troubling questions about how and why multinational companies continue to allow their devices and technologies to be manipulated in ways that may harm their economic interests.

The truth is that many of these companies, most of them American or heavily aligned with the U.S., are complicit in supporting the Israeli occupation, often out of economic considerations or due to pressure from powerful pro- “Israel” lobbies.

These firms, some argue, cooperate with “Israel” to benefit from its advancements in programming and technology, or because they fear the influence of global Israeli networks.

According to foreign reports, Israeli cyber operations infiltrate global tech companies—sometimes through employees who leak sensitive data or through direct collaborations with firms that support “Tel Aviv.”

One prominent case involved a protest in 2021 by 300 Google employees and 90 Amazon workers who signed an internal letter demanding their companies withdraw from Project Nimbus, a controversial deal to supply the Israeli Occupation Forces with dangerous technology used to target Palestinians.

Rather than halting the project, these workers faced retaliation and were fired, as The Intercept reported in November 2023. 

The $1.2 billion Nimbus deal, which provides cloud services to the Israeli military and government, has been a point of contention among tech workers and human rights advocates alike.

The most recent incident occurred in April 2024, when 28 Google employees were dismissed after staging a protest against the project, further fueled by revelations that the technology was being used in war crimes committed in Gaza. 

This marks a growing trend where tech giants, rather than reevaluating their complicity, continue to back the Israeli military-industrial complex, despite rising moral and legal concerns.

A report by Time magazine on April 12, 2024, revealed an internal document confirming that Google provides cloud computing services to the Israeli Ministry of Defense, deepening its partnership despite the ongoing genocide in Gaza.

“The Israeli Ministry of Defense, according to the document, has its own “landing zone” into Google Cloud—a secure entry point to Google-provided computing infrastructure, which would allow the ministry to store and process data, and access AI services,” as reported by Time.

The contract shows that Google invoices “the Israeli Ministry of Defense over $1 million for the consulting service.”

On April 5, 2024, The Intercept reported protests against Google for supplying technology to the Israeli military to carry out "robotic crimes" — namely, the killing of Gaza’s civilians.

Protesters lay down on the ground wrapped in white sheets with a modified Google logo reading "Genocide," demanding an end to the company’s collaboration with the Israeli government.

According to The Intercept, the Israeli military used Google's programs for facial recognition to track Palestinians attempting to flee airstrikes or search for food to feed their families. 

“Many of those arrested or imprisoned, often with little or no evidence, later said they had been brutally interrogated or tortured,” as reported by The Intercept.

An Israeli official told The New York Times that Google’s facial recognition worked better than any alternative technology, helping “Israel” compile a “hit list” of Hamas fighters.

Furthermore, Google Maps and Waze were used by the Israeli military to disable live traffic updates in the occupied Palestinian territories ahead of the Israeli ground invasion of Gaza, according to Bloomberg.

In addition, an investigative report by +972 magazine highlighted that “Israel” uses artificial intelligence to target and kill Palestinians. 

Interviews with six Israeli military intelligence officers revealed that AI programs in Unit 8200 — responsible for cyber security and espionage — have been used to target and assassinate Palestinians.

Since the war began in Gaza, two AI-driven programs have been developed for this purpose. 

One, "Lavender," helped prepare a "kill list" of nearly 37,000 Palestinians for targeting without confirming their identities. 

The other additional automated system, “Where’s Daddy?”, scanned Gaza’s population using big data, identifying names, identities, and addresses, leading to the mass extermination of Palestinian families.

Additionally, on April 11, 2023, Citizen Lab, a Canadian research organization, revealed a new Israeli spyware program similar to the notorious Pegasus. 

The software, bought by governments including Saudi Arabia, the UAE, and Morocco, was used to target journalists and political opponents across multiple countries.

The program, developed by an Israeli company called Quadream Ltd — founded by a former Israeli military officer and ex-NSO Group employees — has already been linked to espionage activities. 

Citizen Lab identified the victims “include journalists, political opposition figures, and an NGO worker,” confirming its widespread use in surveillance.