Yet another government spyware maker has been caught after its customers used fake Android apps to install its surveillance software on targets, according to a new report.

On Thursday, Osservatorio Nessuno, an Italian digital rights organization that researches spyware, published a report on a new malware it calls Morpheus. The spyware, which masquerades as a phone updating app, is capable of stealing a broad range of data from an intended target’s device. 

The researchers’ findings show that the demand for spyware by law enforcement and intelligence agencies is so high that there are a large number of companies providing this technology, some of whom operate outside of the public spotlight.

In this case, Osservatorio Nessuno concluded that the spyware is made by IPS, an Italian company that has been operating for more than 30 years providing traditional so-called lawful interception technology, meaning tools used by governments to capture a person’s real-time communications that flow through the networks of phone and internet providers. 

According to IPS’ website, the company operates in more than 20 countries, though that likely does not refer to its spyware product, which until today was a secret. The company lists several Italian police forces among its customers. 

IPS did not respond to TechCrunch’s request for comment about the report.  

The researchers called Morpheus “low cost” spyware because it relies on the rudimentary infection mechanism of tricking the targets into installing the spyware on their own. 

More advanced government spyware makers, such as NSO Group and Paragon Solutions, allow their government customers to infect their targets with invisible techniques, known as zero-click attacks, which install the malware in a completely stealthy and invisible way by exploiting expensive and difficult-to-find vulnerabilities that break through a device’s security defenses.

In this case, the researchers said the authorities had help from the target’s cellphone provider, which began deliberately blocking the target’s mobile data. At that point, the telecom provider sent the target an SMS, prompting them to install an app that was supposed to help them update the phone, and regain cellular data access. This is a strategy that has been well documented in other cases involving other Italian spyware makers.

Once the spyware was installed, it abused Android’s in-built accessibility features, which allows the spyware to read the data on the victim’s screen and interact with other apps. The malware was designed to access all kinds of information on the device, according to the researchers. 

The spyware then prompted a fake update, showed the target a reboot screen, and finally spoofed the WhatsApp app asking the target to provide their biometrics to prove that it’s them. Unbeknownst to the target, the biometric tap granted the spyware full access to their WhatsApp account by adding a device to the account. This is a known strategy used by government hackers in Ukraine, as well as in a recent spy campaign in Italy.

An old company with a new spyware

Osservatorio Nessuno’s researchers, who asked to be referred only with their first names, Davide and Giulio, concluded that the spyware belongs to IPS based on the spyware’s infrastructure. 

In particular, one of the IP addresses used in the campaign was registered to “IPS Intelligence Public Security.” 

The two also found several fragments of code that contained Italian phrases — something that has seemingly become tradition among the Italian spyware industry. The malware code included words in Italian, including references to Gomorra, the famous book and TV show about the Neapolitan mob, and “spaghetti.” 

Davide and Giulio told TechCrunch that they can’t provide specifics about who the target was, but they said they believe the attack is “related to political activism” in Italy, a world where “this type of targeted attacks are very common nowadays.” 

A researcher at a cybersecurity firm told TechCrunch that their company has been tracking this specific malware. After reviewing the Osservatorio Nessuno report, the researcher said that the malware is definitely developed by an Italian surveillance tech maker.

IPS is the latest in a long list of Italian spyware makers that have filled the void left by the long-defunct Italian company Hacking Team, one of the first spyware makers in the world. The company controlled a large share of the local market apart from selling abroad before it was hacked, and later sold and rebranded. In recent years, researchers have publicly exposed several Italian spyware makers, including CY4GATE, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and most recently SIO. 

Earlier this month WhatsApp notified around 200 users who installed a fake version of the app, which was actually spyware made by SIO. In 2021, Italian prosecutors suspended their use of CY4GATE and SIO spyware due to serious malfunctions.