Another Spyware Maker Exposed: Fake Android Apps Hide Italian Surveillance Tool

A new report just blew the cover off yet another government spyware operation. And this one used a surprisingly simple trick to sneak onto targets’ phones.

Italian digital rights organization Osservatorio Nessuno published findings Thursday on a previously unknown piece of malware called Morpheus. The spyware disguised itself as a routine phone update app. And according to researchers, it links back to IPS, an Italian company that’s been quietly selling surveillance tools for over 30 years.

How the Fake Update Scam Worked

The infection method here wasn’t particularly sophisticated. But it was clever enough to fool real people.

First, the target’s mobile carrier deliberately cut off their data service. Then, the carrier sent an SMS telling the target to install an app to restore access. That app wasn’t a real update. It was Morpheus in disguise.

Once installed, the spyware abused Android’s built-in accessibility features. These features normally help users with disabilities interact with their phones. But Morpheus twisted them to read screen data and interact with other apps without the user’s knowledge.

Then things got worse. The malware triggered a fake reboot screen, spoofed the WhatsApp interface, and asked the target to confirm their identity with biometrics. That single biometric tap quietly added a new device to the victim’s WhatsApp account, handing the spyware full access to their messages.

This exact technique has appeared in documented spy campaigns in Ukraine and Italy before. So it’s a known playbook, not a new invention.

IPS: A 30-Year-Old Company With a Secret Product

Osservatorio Nessuno’s researchers, who go by Davide and Giulio, linked Morpheus to IPS through its infrastructure. One IP address used in the campaign was registered directly to “IPS Intelligence Public Security.”

Plus, the malware’s code contained Italian-language strings, including references to Gomorra, the famous Neapolitan mob book and TV show, along with the word “spaghetti.” Embedding Italian cultural references in code has become almost a signature habit among Italian spyware developers, researchers say.

IPS’s public website says the company operates in more than 20 countries and counts several Italian police forces among its customers. That’s their lawful interception business, which captures real-time communications through telecom networks. The spyware side of their operation, however, was completely unknown until this report dropped.

TechCrunch reached out to IPS for comment. The company did not respond.

Zero-Click vs. Social Engineering Attacks

Researchers describe Morpheus as “low cost” spyware compared to products from companies like NSO Group or Paragon Solutions. That label is worth understanding.

High-end government spyware uses zero-click attacks. These exploit expensive, hard-to-find software vulnerabilities that let attackers silently install malware without any interaction from the target at all. The victim never clicks anything, approves anything, or even knows an attack happened.

Morpheus works differently. It relies on tricking the target into installing the app themselves. That requires cooperation from the target’s mobile carrier to cut off service and send the deceptive SMS. So it’s a more labor-intensive operation. But it’s also cheaper and doesn’t require finding rare software vulnerabilities.

A separate cybersecurity firm researcher confirmed to TechCrunch that their team had already been tracking this malware independently. After reviewing the Osservatorio Nessuno report, they agreed it was built by an Italian surveillance tech company.

Italy’s Crowded Spyware Industry

IPS joins a surprisingly long list of Italian spyware makers that researchers have publicly exposed in recent years. The Italian surveillance tech market exploded after Hacking Team, one of the world’s first commercial spyware companies, collapsed following a devastating 2015 hack that exposed its operations and client list.

Since then, researchers have unmasked CY4GATE, eSurv, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and most recently SIO. Earlier this month, WhatsApp notified around 200 users who had installed a fake version of the app that was actually SIO’s spyware. Back in 2021, Italian prosecutors suspended use of both CY4GATE and SIO spyware after serious technical malfunctions.

Davide and Giulio told TechCrunch they believe the Morpheus attack was “related to political activism” in Italy, where targeted surveillance of activists and political figures is, in their words, “very common nowadays.”

A Pattern That Keeps Repeating

What’s striking about this story isn’t just the specific company or the clever fake update trick. It’s how routine this has all become.

Researchers keep uncovering new spyware makers. Governments keep using them. Targets are usually political activists, journalists, or dissidents. The infection methods evolve slowly, recycling the same strategies across different campaigns.

The demand for these tools from law enforcement and intelligence agencies is clearly enormous. Each company exposed makes way for another to fill the gap quietly. IPS operated in obscurity for over three decades before a pair of Italian researchers found its fingerprints on a malware sample.

If your device ever receives an unexpected SMS from your carrier asking you to install a software update, treat it with real suspicion. Legitimate carriers don’t typically push update apps through text messages. And as this case shows, that message might not be from your carrier at all.