Italian Spyware Makers Are Using Fake Apps to Spy on Activists

A group of researchers has found a new spyware operation targeting Android phones. The malicious software, called Morpheus, is designed to look like a system update in order to trick people into downloading it. It appears to come from an Italian company called IPS, which has been supplying surveillance technology to the Italian government for over 30 years.

This is the second such discovery in recent months. Another Italian surveillance company called SIO was caught earlier this year spreading fake versions of WhatsApp and fake customer support apps for phone companies.

How Morpheus Works

Once installed on a phone, Morpheus takes advantage of a feature in Android designed to help people with disabilities. That feature, called accessibility services, is meant to let apps read what is on your screen and help you interact with other apps without having to tap the screen yourself. Morpheus hijacks this feature to spy on you without your knowledge.

The spyware's main target appears to be WhatsApp. It creates a fake version of WhatsApp to steal your messages, contacts, and chat history. The trick works because it pretends to be something legitimate — a system update, or a fake WhatsApp — when it is actually malware.

Morpheus is considered "low-cost" spyware. Rather than exploiting complex technical vulnerabilities, it relies on tricking people into installing it manually. This is cheaper to build but requires more effort to deploy, since the attacker has to convince each person to install it on their phone.

A Pattern Across Italy

The fact that two different Italian companies are doing this around the same time raises questions. Both IPS and SIO targeted people involved in political activism in Italy. It suggests that these campaigns may be coordinated at a government level.

I have seen similar patterns in the history of surveillance technology. When smartphones first became common around 2012 to 2014, security companies that had been working legitimately began to expand into more aggressive spyware operations as government demand for mobile surveillance grew. What we are seeing now mirrors that shift — established companies are adding new tools to their capability.

Why WhatsApp Keeps Getting Targeted

WhatsApp has been alerted to three major spyware campaigns targeting its users in recent years. The reason is straightforward: WhatsApp encrypts your messages so nobody can read them during transmission. When that fails, the only way to read someone's messages is to break into their phone itself. That is why spyware makers focus on getting inside the device rather than trying to intercept messages in transit.

According to reporting by TechCrunch, WhatsApp's security team found the SIO campaign through their own monitoring systems. The company logged affected users out and told them to delete the fake apps and reinstall the real one from the official app store.

How People Get Infected

Both campaigns trick people into installing fake apps outside of the official app stores. By avoiding Google Play and the Apple App Store, the malware makers bypass the safety checks these platforms run on apps before they are made available. The attackers create a fake reason to install the app — a system update that needs installing, or a WhatsApp version you do not have yet — that feels real.

The fake update approach works because people are used to their phones asking them to install updates. The spyware just mimics that familiar prompt. This social engineering approach means the attack targets specific individuals rather than trying to infect many people at once. Each person has to be individually tricked into installing the malware.

What This Means for Users and Organizations

The broader context here is that these campaigns show the limits of what app stores can protect you against. If you download an app from outside the official Google Play or Apple App Store, you lose those safety checks. Spyware makers rely on this fact.

For people managing phones in workplaces, these campaigns underscore the value of mobile device management policies that prevent people from installing apps from unofficial sources. The social engineering that makes these campaigns work becomes far less effective when users are educated about the risks and restricted to official app stores.

The recurring problem these campaigns highlight is a tension built into mobile phones. Features designed to help people with disabilities — like accessibility services — become tools that spyware can abuse. Phone makers continue to refine how these features work, but the fundamental balance between legitimate help and potential misuse remains difficult to solve.