Yet another government-backed spyware maker has been arrested after its customers used fake Android apps to install surveillance software on its targets, according to a new report.
On Thursday, Osservatorio Nessuno, an Italian digital rights organization that studies spyware, published a report on a new piece of malware called Morpheus. This spyware disguises itself as a mobile phone update app and is able to steal a wide range of data from the targeted device.
The researchers' findings show that spyware is in such high demand by law enforcement and intelligence agencies that there are many companies offering the technology, some operating out of the public eye.
In this case, Osservatorio Nessuno concluded that the spyware was related to IPS. IPS is an Italian company that has been providing traditional so-called lawful interception technology (meaning tools used by governments to capture real-time communications of individuals as they flow through phone and internet provider networks) for more than 30 years.
According to the IPS website, the company operates in more than 20 countries, but its spyware products are likely not mentioned and have remained secret until today. The company counts several Italian police forces among its customers.
IPS did not respond to TechCrunch's request for comment on this report.
Researchers call Morpheus a “low-cost” spyware because it relies on a rudimentary infection mechanism that tricks targets into installing the spyware themselves.
More sophisticated government spyware makers, such as NSO Group and Paragon Solutions, allow their government customers to infect their targets with invisible techniques known as zero-click attacks. This technique installs malware in a completely stealthy and invisible manner by exploiting expensive and hard-to-discover vulnerabilities that bypass a device's security defenses.
In this case, authorities enlisted the cooperation of the target's mobile phone provider, who began intentionally blocking the target's mobile data, researchers said. At that point, the communications provider sent an SMS to the target, urging him to update his phone and install an app that he believed would help him regain access to his phone data. This is a strategy that has been well documented in other incidents involving other Italian spyware manufacturers.
Image credit:Osservatorio Nessuno
Once installed, this spyware exploits Android's built-in accessibility features, allowing the spyware to read data on the victim's screen and interact with other apps. Researchers say the malware was designed to access all kinds of information on the device.
The spyware then prompted a fake update, presented the target with a reboot screen, and finally spoofed the WhatsApp app and asked the target to provide biometrics to prove its identity. Unbeknownst to the target, the biometric tap added the device to the account and gave the spyware full access to the WhatsApp account. This is a known strategy used by Ukrainian government hackers and recent espionage operations in Italy.
Old company and new spyware
Osservatorio Nessuno researchers, who asked to be referred to by Davide and Giulio only by their first names, concluded that based on the spyware's infrastructure, the spyware belongs to IPS.
In particular, one of the IP addresses used in the campaign was registered with “IPS Intelligence Public Security.”
The two also discovered some code fragments containing Italian phrases. This seems to be a tradition in the Italian spyware industry. The malware code contained Italian words, including references to Gomorrah, a famous book and TV show about the Neapolitan mob, and “spaghetti.”
Davide and Giulio told TechCrunch that although they could not provide details about who was targeted, they believed the attack was “related to political activity” in Italy, adding that “this type of targeted attack is now very common.”
Researchers at a cybersecurity company told TechCrunch that their company is tracking this particular malware. After reviewing Osservatorio Nessuno's report, researchers said that the malware was definitely developed by the Italian surveillance technology manufacturer.
IPS is the latest in a long list of Italian spyware makers, filling the void left by the long-defunct Italian company Hacking Team, one of the world's first spyware makers. The company controlled a large share of the domestic market, excluding overseas sales, before being hacked, and has since been sold and rebranded. In recent years, researchers have publicly busted several Italian spyware makers, including CY4GATE, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and most recently SIO.
Earlier this month, WhatsApp notified around 200 users who had installed a fake version of the app, which was actually spyware created by SIO. In 2021, Italian prosecutors suspended the use of CY4GATE and SIO spyware due to serious defects.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.