The researchers\u2019 findings show that the demand for spyware by law enforcement and intelligence agencies is so high that there are a large number of companies providing this technology, some of whom operate outside of the public spotlight.<\/p>\n
In this case, Osservatorio Nessuno concluded that the spyware is linked to IPS, an Italian company that has been operating for more than 30 years providing traditional so-called lawful interception technology, meaning tools used by governments to capture a person\u2019s real-time communications that flow through the networks of phone and internet providers.\u00a0<\/p>\n
According to IPS\u2019 website<\/a>, the company operates in more than 20 countries, though that likely does not refer to its spyware product, which until today was a secret. The company lists several Italian police forces among its customers.\u00a0<\/p>\n IPS did not respond to TechCrunch\u2019s request for comment about the report.\u00a0\u00a0<\/p>\n The researchers called Morpheus \u201clow cost\u201d spyware because it relies on the rudimentary infection mechanism of tricking the targets into installing the spyware on their own.\u00a0<\/p>\n More advanced government spyware makers, such as NSO Group<\/a> and Paragon Solutions<\/a>, allow their government customers to infect their targets with invisible techniques, known as zero-click attacks<\/a>, which install the malware in a completely stealthy and invisible way by exploiting expensive and difficult-to-find vulnerabilities that break through a device\u2019s security defenses.<\/p>\n In this case, the researchers said the authorities had help from the target\u2019s cellphone provider, which began deliberately blocking the target\u2019s mobile data. At that point, the telecom provider sent the target an SMS, prompting them to install an app that was supposed to help them update the phone, and regain cellular data access. This is a strategy that has been well documented<\/a> in other cases involving other Italian spyware makers.<\/p>\n Once the spyware was installed, it abused Android\u2019s in-built accessibility features, which allows the spyware to read the data on the victim\u2019s screen and interact with other apps. The malware was designed to access all kinds of information on the device, according to the researchers.\u00a0<\/p>\n The spyware then prompted a fake update, showed the target a reboot screen, and finally spoofed the WhatsApp app asking the target to provide their biometrics to prove that it\u2019s them. Unbeknownst to the target, the biometric tap granted the spyware full access to their WhatsApp account by adding a device to the account. This is a known strategy used by government hackers in Ukraine<\/a>, as well as in a recent spy campaign in Italy<\/a>.<\/p>\n An old company with a new spyware<\/p>\n Osservatorio Nessuno\u2019s researchers, who asked to be referred only with their first names, Davide and Giulio, concluded that the spyware belongs to IPS based on the spyware\u2019s infrastructure.\u00a0<\/p>\n In particular, one of the IP addresses used in the campaign was registered to \u201cIPS Intelligence Public Security.\u201d\u00a0<\/p>\n The two also found several fragments of code that contained Italian phrases \u2014 something that has seemingly become<\/a> tradition<\/a> among the Italian spyware industry. The malware code included words in Italian, including references to Gomorra, the famous book and TV show about the Neapolitan mob, and \u201cspaghetti.\u201d\u00a0<\/p>\n Davide and Giulio told TechCrunch that they can\u2019t provide specifics about who the target was, but they said they believe the attack is \u201crelated to political activism\u201d in Italy, a world where \u201cthis type of targeted attacks are very common nowadays.\u201d\u00a0<\/p>\n A researcher at a cybersecurity firm told TechCrunch that their company has been tracking this specific malware. After reviewing the Osservatorio Nessuno report, the researcher said that the malware is definitely developed by an Italian surveillance tech maker.<\/p>\n IPS is the latest in a long list of Italian spyware makers that have filled the void left by the long-defunct Italian company Hacking Team, one of the first spyware makers in the world. The company controlled a large share of the local market apart from selling abroad before it was hacked, and later sold and rebranded. In recent years, researchers have publicly exposed several Italian spyware makers, including CY4GATE<\/a>, GR Sistemi<\/a>, Movia<\/a>, Negg<\/a>, Raxir<\/a>, RCS Lab<\/a>, and most recently SIO<\/a>.\u00a0<\/p>\n Earlier this month WhatsApp notified around 200 users<\/a> who installed a fake version of the app, which was actually spyware made by SIO. In 2021, Italian prosecutors suspended their use<\/a> of CY4GATE and SIO spyware due to serious malfunctions.<\/p>\n![\"\"](\"https:\/\/www.newsbeep.com\/ie\/wp-content\/uploads\/2026\/04\/ips-spyware-whatsapp.gif\")
Image Credits:Osservatorio Nessuno<\/p>\n