Yet another government spyware maker has been caught after its customers used fake Android apps to install its surveillance software on targets, according to a new report.

On Thursday, Osservatorio Nessuno, an Italian digital rights organization that researches spyware, published a report on a new malware it calls Morpheus. The spyware, which masquerades as a phone updating app, is capable of stealing a broad range of data from an intended target’s device. 

The researchers’ findings show that the demand for spyware by law enforcement and intelligence agencies is so high that there are a large number of companies providing this technology, some of whom operate outside of the public spotlight.

In this case, Osservatorio Nessuno concluded that the spyware is made by IPS, an Italian company that has been operating for more than 30 years providing traditional so-called lawful interception technology, meaning tools used by governments to capture a person’s real-time communications that flow through the networks of phone and internet providers. 

According to IPS’ website, the company operates in more than 20 countries, though that likely does not refer to its spyware product, which until today was a secret. The company lists several Italian police forces among its customers. 

IPS did not respond to TechCrunch’s request for comment about the report.  

The researchers called Morpheus “low cost” spyware because it relies on the rudimentary infection mechanism of tricking the targets into installing the spyware on their own. 

More advanced government spyware makers, such as NSO Group and Paragon Solutions, allow their government customers to infect their targets with invisible techniques, known as zero-click attacks, which install the malware in a completely stealthy and invisible way by exploiting expensive and difficult-to-find vulnerabilities that break through a device’s security defenses.

In this case, the researchers said the authorities had help from the target’s cellphone provider, which began deliberately blocking the target’s mobile data. At that point, the telecom provider sent the target an SMS, prompting them to install an app that was supposed to help them update the phone, and regain cellular data access. This is a strategy that has been well documented in other cases involving other Italian spyware makers.

Once the spyware was installed, it abused Android’s in-built accessibility features, which allows the spyware to read the data on the victim’s screen and interact with other apps. The malware was designed to access all kinds of information on the device, according to the researchers. 

The spyware then prompted a fake update, showed the target a reboot screen, and finally spoofed the WhatsApp app asking the target to provide their biometrics to prove that it’s them. Unbeknownst to the target, the biometric tap granted the spyware full access to their WhatsApp account by adding a device to the account. This is a known strategy used by government hackers in Ukraine, as well as in a recent spy campaign in Italy.

An old company with a new spyware

Osservatorio Nessuno’s researchers, who asked to be referred only with their first names, Davide and Giulio, concluded that the spyware belongs to IPS based on the spyware’s infrastructure. 

In particular, one of the IP addresses used in the campaign was registered to “IPS Intelligence Public Security.” 

The two also found several fragments of code that contained Italian phrases — something that has seemingly become tradition among the Italian spyware industry. The malware code included words in Italian, including references to Gomorra, the famous book and TV show about the Neapolitan mob, and “spaghetti.” 

Davide and Giulio told TechCrunch that they can’t provide specifics about who the target was, but they said they believe the attack is “related to political activism” in Italy, a world where “this type of targeted attacks are very common nowadays.” 

A researcher at a cybersecurity firm told TechCrunch that their company has been tracking this specific malware. After reviewing the Osservatorio Nessuno report, the researcher said that the malware is definitely developed by an Italian surveillance tech maker.

IPS is the latest in a long list of Italian spyware makers that have filled the void left by the long-defunct Italian company Hacking Team, one of the first spyware makers in the world. The company controlled a large share of the local market apart from selling abroad before it was hacked, and later sold and rebranded. In recent years, researchers have publicly exposed several Italian spyware makers, including CY4GATE, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and most recently SIO. 

Earlier this month WhatsApp notified around 200 users who installed a fake version of the app, which was actually spyware made by SIO. In 2021, Italian prosecutors suspended their use of CY4GATE and SIO spyware due to serious malfunctions.

Residents of Mansur community in Alkaleri Local Government Area of Bauchi State have started to return home following the clearance of bandits by troops of the Nigerian Army.

The Acting Assistant Director, Army Public Relations, 33 Artillery Brigade, Lt. Oluwakemi Fagbolagun, disclosed this in a statement issued yesterday.

DAILY POST reports that the affected communities had been deserted since February 26, 2026, when armed terrorists invaded the area, forcing residents to flee to safer locations. After nearly two months in displacement, the villagers started returning on April 22.

According to the Acting Assistant Director, Army Public Relations, 33 Artillery Brigade, the attacks left homes abandoned while farming activities were halted across the community.

Fagbolagun said the return of residents followed a series of coordinated military operations, beginning with Operation Bugun Karkanda III, ordered by Army Headquarters and executed by troops of the 33 Artillery Brigade.

She added that the exercise was supported by Operation Wutan Daji, which focused on dislodging terrorists from their hideouts.

The operations, she noted, led to the clearance of criminal elements from Dajin Madam Forest in Plateau State and Kumbodoro Forest in Taraba State.

She further listed Yankari Game Reserve, Bogwas and Rimi in Bauchi State, as well as Odere Forest, Shirnagol, Wanka and Kukarlwa in Plateau State among areas recovered during the exercise. Troops also secured Kumbodoro town and Angwan Jauro Sule in Taraba State.

Fagbolagun said the operations paved the way for the liberation of previously occupied communities, including Mansur.

She explained that the military has now moved into the consolidation phase, which involves handing over cleared areas to relevant security agencies and government institutions to sustain peace and enable displaced residents to return.

The army spokesperson described scenes of jubilation as villagers made their way back to their homes, with many seen inspecting their houses and clearing overgrown vegetation within their compounds.

Community leaders, she added, commended the Chief of Army Staff, Lt. Gen. Waidi Shaibu, for the intervention that restored calm to the area.

Meanwhile, Bauchi State Governor, Bala Mohammed, had earlier announced that thousands of bandits were neutralised during recent coordinated security operations across troubled parts of the state.

Addressing journalists on Monday, the governor attributed the success to joint efforts involving the Nigerian Air Force, the Armed Forces, intelligence agencies and local vigilante groups.

He said the operation followed an appeal to President Bola Tinubu over rising insecurity in Alkaleri and neighbouring states of Plateau, Taraba and Gombe.