Italian Spyware Makers Use Fake Apps to Target Political Activists

Security researchers at Osservatorio Nessuno have found another spyware campaign run by an Italian company targeting Android phones through counterfeit applications. This is the second such discovery in recent months, and it reveals how government contractors continue to exploit mobile devices for surveillance.

Morpheus: A New Spyware Tool

The newly identified spyware, called Morpheus, tricks users by posing as a system update. TechCrunch reports that the evidence points to IPS, an Italian company that has spent over 30 years providing lawful interception technology—essentially tools that governments use to legally monitor communications—to government agencies.

IPS is different from most known spyware vendors. The company traditionally focused on telecommunications interception rather than consumer-facing malware, which suggests they have expanded into new territory.

Morpheus is classified as "low-cost" spyware because it relies on social engineering—tricking people into installing it—rather than finding hidden security flaws or complex delivery methods. The malware needs a person to manually install it, which makes development cheaper but harder to deploy at scale.

How Morpheus Works

Once installed, Morpheus exploits Android's accessibility services—a set of built-in features originally designed to help people with disabilities use their phones. Think of it like giving an app the ability to read what's on your screen and control other apps, without you explicitly saying it can. Morpheus abuses this permission to spy on you.

The spyware's main target is WhatsApp. It creates a fake WhatsApp login screen to steal your account information, including your message history, contacts, and ongoing conversations.

This approach is becoming common among mobile spyware makers. Rather than discovering entirely new security holes, they weaponize features that were built with good intentions. Android's accessibility tools are genuinely useful for accessibility apps, but malware writers have found a way to misuse them.

A Pattern in Italy

This discovery follows another Italian spyware campaign exposed in April. WhatsApp alerted roughly 200 users in Italy who had been targeted with fake WhatsApp apps and phony customer support tools created by SIO, another Italian surveillance company. Both campaigns appear to have focused on political activists in Italy.

The fact that two separate Italian companies are running similar campaigns raises a question: is this coordinated at the government level? It's hard to say from the available evidence, but the timing and targeting suggest some level of alignment.

Having watched mobile surveillance evolve since the early smartphone days, I've seen this pattern before. Around 2012 to 2014, as demand for mobile spy tools grew, legitimate security contractors started crossing into more aggressive territory. What's happening now in Italy mirrors that shift: established players are expanding their capabilities to meet shifting operational needs.

WhatsApp's Response

WhatsApp's security team detected the SIO campaign through its own internal monitoring systems and logged affected users out of their accounts. The company told them to delete the fake apps and reinstall WhatsApp from the official app store.

This is the third major spyware disclosure for WhatsApp in recent years. The company previously warned about 90 users targeted by Paragon Solutions, a U.S.-Israeli surveillance firm. These repeated attacks show how global this problem has become.

The reason spyware makers keep targeting WhatsApp is straightforward: the app uses end-to-end encryption, which scrambles messages in transit so only the sender and recipient can read them. That protection pushes attackers to bypass encryption altogether by compromising the device directly—reading messages before they're encrypted or after they're decrypted on the target's phone.

How These Fake Apps Spread

Both Morpheus and the SIO campaign distributed their fake apps outside of Google Play Store and Apple's App Store. This side-loading approach lets them avoid the security screening that official app stores perform.

The fake update app tactic works because people expect their phones to prompt them for updates. By mimicking a normal system update, the spyware reduces suspicion right when it's asking for permission to access sensitive features.

The operational logic here matters. These campaigns rely entirely on tricking specific people rather than finding a technical weakness to exploit millions of devices at once. The manual installation requirement is expensive in terms of effort, which only makes sense if you're targeting high-value individuals where the time investment is worth it.

The Bigger Picture

These Italian campaigns raise a real concern about regulatory oversight. Both IPS and SIO appear to operate within Italy's legal framework for government surveillance, but the fact that they're targeting political activists—rather than just criminals or national security threats—suggests the scope of who counts as a valid surveillance target may be expanding.

There's also a design challenge on Android's side. Google has made improvements to how accessibility services work, but there's a fundamental tension built into the system: these features genuinely help people with disabilities, yet they can also be misused. Fully closing this loophole without breaking legitimate accessibility tools is difficult.

For anyone managing security at a company or organization, these cases underscore a simple principle: restrict employees to installing apps only from official stores like Google Play or the App Store. The social engineering in both Italian campaigns would be far less effective if people couldn't sideload applications in the first place. Combined with basic training about the risks of unofficial apps, this is solid defense.