Another spyware maker has been caught distributing fake Android hacking apps

Another government spyware maker has been arrested after its agents used fake Android apps to install its surveillance software on targets, according to a new report.

On Thursday, Osservatorio Nessuno, an Italian digital rights organization that researches spyware, published a report on a new malware it calls Morpheus. The spyware, which is disguised as a phone update application, is capable of stealing a wide range of data from the intended target’s device.

The researchers’ findings show that the demand for spyware by law enforcement and intelligence agencies is so high that there are a large number of companies providing this technology, some of which operate outside the public spotlight.

In this case, Osservatorio Nessono concluded that the spyware was made by IPS, an Italian company that has been working for more than 30 years in providing so-called traditional lawful interception technology, that is, tools used by governments to capture a person’s real-time communications that flow through phone networks and Internet service providers.

According to the IPS website, the company operates in more than 20 countries, although this likely does not refer to its spyware product, which until today has been a secret. The company lists several Italian police forces among its clients.

IPS did not respond to TechCrunch’s request for comment on the report.

Researchers called Morpheus “low-cost” spyware because it relies on a primitive infection mechanism to trick targets into installing the spyware themselves.

The makers of the most advanced government spyware, such as NSO Group and Paragon Solutions, allow their government agents to infect their targets with invisible techniques, known as zero-click attacks, which install malware in a stealth and completely invisible manner by exploiting expensive, hard-to-find vulnerabilities that penetrate a device’s security defenses.

In this case, researchers said authorities obtained assistance from the target’s mobile phone provider, which deliberately began blocking the target’s mobile phone data. At that point, the telecom provider sent an SMS to the target, asking them to install an app that was supposed to help them update the phone and regain access to cellular data. This strategy has been well documented in other cases involving other Italian spyware makers.

Once the spyware is installed, it abuses Android’s built-in accessibility features, which allow the spyware to read data on the victim’s screen and interact with other applications. According to researchers, the malware is designed to access all kinds of information on the device.

The spyware then requested a fake update, showed the target a reboot screen, and finally spoofed WhatsApp and asked the target to provide their biometrics to prove it was them. Unbeknownst to the target, the biometric click gave the spyware full access to their WhatsApp account by adding a device to the account. This is a well-known strategy used by government hackers in Ukraine, as well as in a recent spying campaign in Italy.

An old company with new spyware

The Osservatorio Nessuno researchers, who asked to be referred to only by their first names, Davide and Giulio, concluded that the spyware belonged to IPS based on the spyware infrastructure.

In particular, one of the IP addresses used in the campaign was registered as “IPS Intelligence Public Security.”

The two also found several pieces of code containing Italian phrases – something that appears to have become a tradition among the Italian spyware industry. The malware’s code included words in Italian, including references to Gomorrah, the popular book and TV show about the mob in Naples, and “spaghetti.”

Davide and Giulio told TechCrunch they couldn’t provide details about the identity of the target, but said they believed the attack was “linked to political activity” in Italy, a world where “this type of targeted attack is common nowadays.”

A researcher at a cybersecurity company told TechCrunch that their company was tracking this specific malware. After reviewing the Osservatorio Nessuno report, the researcher said the malware was definitely developed by an Italian surveillance technology maker.

IPS is the latest in a long list of Italian spyware makers to fill the void left by the long-defunct Italian company Hacking Team, one of the world’s first spyware makers. The company controlled a large share of the local market in addition to selling abroad before it was hacked, then sold and later rebranded. In recent years, researchers have publicly exposed several Italian spyware makers, including CY4GATE, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and most recently SIO.

Earlier this month, WhatsApp notified about 200 users who had installed a fake version of the app, which was actually spyware made by SIO. In 2021, Italian prosecutors halted the use of CY4GATE and SIO spyware due to serious malfunctions.