Yet another government spyware maker has been arrested after its customers used fake Android apps to install the surveillance software on targets, according to a new report.
On Thursday, Osservatorio Nessuno, an Italian digital rights organization that investigates spyware, published a report to a new malware it calls Morpheus. Disguised as a phone update application, spyware is capable of intercepting a wide range of data from a target’s device.
The researchers’ findings show that the demand for spyware by law enforcement and intelligence agencies is so high that there are a large number of companies providing this technology, some of which operate out of the public spotlight.
In this case, Osservatorio Nessuno concluded that the spyware is linked to IPS, an Italian company that has been operating for more than 30 years providing traditional so-called legal wiretapping technology, i.e. tools used by governments to record a person’s real-time communications flowing through the networks of phone and internet providers.
According to the IPS websitethe company operates in more than 20 countries, although that probably doesn’t refer to its spyware product, which has been a secret until now. The company counts several Italian police forces among its clients.
IPS did not respond to TechCrunch’s request for comment on the report.
Contact us
Do you have more information about IPS? Or other spyware manufacturers? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
The researchers called Morpheus “low-cost” spyware because it relies on a rudimentary infection mechanism that tricks targets into installing the spyware themselves.
More advanced government spyware makers, such as NSO Group and Paragon Solutions, allow their government clients to infect their targets with invisible techniques known as zero-click attacks, which install malware in a completely stealthy and invisible manner by exploiting expensive and hard-to-find vulnerabilities that penetrate a device’s security defenses.
In that case, investigators said authorities had help from the target’s cellphone carrier, which began deliberately blocking the target’s cellphone data. At that point, the telecom provider sent the target an SMS, asking them to install an app that was supposed to help them update the phone and regain access to mobile data. This is a strategy that has been well documented in other cases involving other Italian spyware makers.
Once the spyware was installed, it abused Android’s built-in accessibility features, which allow the spyware to read the data on the victim’s screen and interact with other apps. The malware was designed to access all kinds of information on the device, according to the researchers.
The eavesdropping software then triggered a fake update, showed the target a reboot screen and finally spoofed the WhatsApp app asking the target to provide their biometrics to prove it’s them. Unbeknownst to the target, the biometric touch gave the spyware full access to the WhatsApp account by adding a device to the account. This is a well-known strategy used by government hackers in Ukraine, as well as in a recent espionage campaign in Italy.
An old company with new spyware
Osservatorio Nessuno researchers, who asked to be identified only by their first names, Davide and Giulio, concluded that the spyware belongs to IPS based on the spyware’s infrastructure.
In particular, one of the IP addresses used in the campaign was registered with “IPS Intelligence Public Security”.
The two also found several pieces of code that contained Italian phrases – which apparently has been done surrender among the Italian spyware industry. The malware code included words in Italian, including references to Gomorra, the famous book and TV show about the Neapolitan mob, and “spaghetti.”
Davide and Giulio told TechCrunch that they could not provide details on who the target was, but said they believed the attack was “related to political activism” in Italy, a world where “this type of targeted attack is very common these days.”
A researcher at a cybersecurity firm told TechCrunch that their company was tracking this particular malware. After reviewing the Osservatorio Nessuno report, the researcher said the malware was definitely developed by an Italian surveillance technology manufacturer.
IPS is the latest in a long list of Italian spyware makers to fill the void left by the long-defunct Italian company Hacking Team, one of the world’s first spyware makers. The company controlled a large share of the local market in addition to overseas sales before it was hacked, and later sold and renamed. In recent years, researchers have publicly exposed several Italian spyware makers, including CY4GATE, eSurv, GR Sistemi, Movia, Negg, Raxir, RCS Laboratoryand more recently the SIO.
Earlier this month WhatsApp notified about 200 users who installed a fake version of the app, which was actually spyware made by the SIO. In 2021, Italian prosecutors suspended their use of CY4GATE and SIO spyware due to serious malfunctions.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
