Italian Spyware Makers Deploy Fake Android Apps to Target Political Activists

Researchers at Osservatorio Nessuno have uncovered another Italian government spyware operation targeting Android users through fake applications, marking the second such campaign exposed in recent months. The discovery by researchers Davide and Giulio reveals how state surveillance contractors continue to exploit mobile platforms for intelligence gathering operations.

Morpheus: A New Vector for State Surveillance

The newly identified spyware, dubbed Morpheus, masquerades as a system update application to trick targets into manual installation. TechCrunch reported that infrastructure analysis links Morpheus to IPS, an Italian company with over 30 years of experience providing lawful interception technology to government agencies.

IPS represents a departure from known spyware vendors in the ecosystem. Unlike established players in the surveillance market, IPS was not previously known to develop or distribute consumer-facing spyware tools, suggesting an expansion of capabilities or market participation among traditional telecommunications interception providers.

Morpheus falls into the "low-cost" spyware category because it relies on social engineering rather than zero-day exploits or sophisticated delivery mechanisms. The malware requires user interaction to gain initial device access, a characteristic that reduces development costs but increases operational complexity for deployment teams.

Technical Implementation and Capabilities

Once installed, Morpheus exploits Android's accessibility services framework to gain extensive device control. The spyware abuses these legitimate APIs — originally designed to assist users with disabilities — to read screen content and interact with other installed applications without explicit user consent.

The malware's primary target appears to be WhatsApp communications. Morpheus creates a spoofed version of the messaging application interface to capture complete access to victims' WhatsApp accounts, including message history, contact lists, and ongoing conversations.

This technique reflects a broader trend in mobile surveillance where attackers leverage built-in accessibility frameworks rather than developing custom exploitation techniques. Android's accessibility services provide legitimate applications with screen reading and automated interaction capabilities, but malware authors have increasingly weaponized these APIs for surveillance purposes.

Pattern Recognition: Italy's Expanding Spyware Ecosystem

The Morpheus discovery follows closely behind another Italian spyware campaign exposed in April. WhatsApp notified approximately 200 users who had been targeted by fake iOS and Android applications created by SIO, another Italian surveillance contractor. The affected users were primarily located in Italy, with the campaign focused on distributing malicious versions of WhatsApp and fake customer support tools for cellular providers.

This pattern of Italian companies developing fake application-based spyware suggests a coordinated expansion of domestic surveillance capabilities. Both IPS and SIO operations targeted political activism within Italy, according to the research findings, indicating potential state-level coordination in deployment strategies.

Having covered the evolution of mobile surveillance since the early smartphone era, I've observed this exact pattern before: during the initial proliferation of Android malware circa 2012-2014, when legitimate security firms began crossing into more aggressive territory as demand for mobile intelligence gathering intensified. The current Italian campaigns mirror that earlier shift, where established players expanded their toolkit to meet changing operational requirements.

WhatsApp's Ongoing Battle Against State Surveillance

WhatsApp's security team proactively identified the SIO campaign through internal monitoring systems, demonstrating the platform's investment in threat detection capabilities. The company logged affected users out of their accounts and urged them to remove unofficial clients before reinstalling WhatsApp from official app stores.

This represents WhatsApp's third major spyware disclosure in recent years. The platform previously alerted approximately 90 users about targeting by Paragon Solutions, a U.S.-Israeli surveillance technology maker, highlighting the global nature of commercial spyware operations targeting the messaging platform.

The recurring pattern of fake WhatsApp applications underscores the application's value as a surveillance target. With end-to-end encryption protecting message content in transit, state actors have shifted focus to endpoint compromise strategies that capture communications before encryption or after decryption on target devices.

Distribution and Installation Vectors

Both Morpheus and the SIO campaigns relied on distribution outside official app stores to bypass Google Play Protect and Apple's App Store review processes. These unofficial distribution channels allow spyware operators to avoid platform-level security screening while maintaining plausible cover stories for target recruitment.

The fake update application approach used by Morpheus exploits user familiarity with legitimate system maintenance prompts. By mimicking expected system behavior, the spyware reduces user suspicion during the critical installation phase when elevated permissions are requested.

Looking at the operational implications, the reliance on social engineering rather than technical exploitation suggests these campaigns target specific individuals rather than broad population surveillance. The manual installation requirement creates operational overhead that makes sense only for high-value targets where the investment in social engineering can be justified.

Regulatory and Industry Context

The emergence of multiple Italian spyware contractors operating against domestic targets raises questions about regulatory oversight of the surveillance technology sector. Both IPS and SIO appear to operate within Italy's legal framework for lawful interception, but the targeting of political activists suggests potential expansion beyond traditional law enforcement use cases.

The accessibility services exploitation technique used by Morpheus also highlights ongoing challenges in mobile platform security architecture. Google's Android security team continues to refine accessibility service permissions, but the fundamental tension between legitimate assistance features and potential abuse vectors remains unresolved.

For enterprise security teams, these campaigns reinforce the importance of mobile device management policies that restrict application installation to official app stores. The social engineering component of both Italian campaigns would be significantly less effective in environments with strict sideloading restrictions and user education about unofficial application risks.