A government spyware vendor has been exposed after it was found that its clients used counterfeit Android apps to deploy surveillance software on targets, as highlighted in a recent report.
On Thursday, Osservatorio Nessuno, an Italian digital rights organization focused on spyware research, released a report about a new malware named Morpheus. This spyware, disguised as a phone update app, can siphon a wide array of data from a target’s device.
The investigation revealed significant demand for spyware among law enforcement and intelligence agencies, with many companies supplying this technology, some operating beyond public scrutiny.
Osservatorio Nessuno determined that the spyware is associated with IPS, an Italian firm with over 30 years of experience in providing traditional lawful interception technology, tools governments use to intercept real-time communications over phone and internet networks.
According to IPS’ website, the company operates in more than 20 countries, though this likely excludes its spyware product, which was secret until now. Italian police forces are listed among its clients.
IPS did not respond to TechCrunch’s request for comment on the report.
Morpheus has been labeled as “low cost” spyware by researchers because it tricks targets into self-installation.
More sophisticated government spyware makers like NSO Group and Paragon Solutions enable government clients to employ zero-click attacks, installing malware stealthily using costly and rare vulnerabilities that bypass a device’s security.
In this case, researchers discovered that authorities collaborated with the target’s cellphone provider, which blocked the target’s mobile data. The telecom provider then sent an SMS instructing the target to install an app to update their phone and restore data access, a strategy seen in other cases involving Italian spyware makers.
Once installed, the spyware exploited Android’s accessibility features to read the victim’s screen and interact with apps. The malware aimed to access all device information.
The spyware simulated an update, displayed a reboot screen, and mimicked the WhatsApp app, prompting the target for biometric verification. Unknowingly, the target’s biometric input gave the spyware full access to their WhatsApp by adding a device. This strategy is known among government hackers in Ukraine and a recent Italian spy campaign.
An old company introduces new spyware
Osservatorio Nessuno’s researchers Davide and Giulio connected the spyware to IPS through its infrastructure.
Specifically, an IP address used in the campaign was registered to “IPS Intelligence Public Security.”
They also discovered code fragments containing Italian phrases, a trend in the Italian spyware industry. The malware code mentioned Gomorra, a book and TV show about the Neapolitan mob, and “spaghetti.”
Davide and Giulio told TechCrunch they couldn’t disclose details about the target but believed the attack was linked to political activism in Italy, where such targeted attacks are now frequent.
A cybersecurity firm researcher confirmed tracking this malware and, after reviewing Osservatorio Nessuno’s report, attributed it to an Italian surveillance tech maker.
IPS joins the long list of Italian spyware creators succeeding the outdated Hacking Team, a world pioneer in spyware. Before being hacked and rebranded, the company dominated the local market and sold internationally. Recent years have seen several Italian spyware creators exposed, including CY4GATE, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and recently SIO.
Earlier this month, WhatsApp notified around 200 users who downloaded a fake app that was spyware by SIO. Italian prosecutors suspended CY4GATE and SIO spyware use in 2021 due to severe malfunctions.