The spyware manufacturer was caught distribution of malicious Android applications for years

Italian manufacturer Spyware Sio, known to sell its products government customersIt is behind a series of malicious Android applications disguised as WhatsApp and other popular applications, but steal private data from the Target device, TechCrunch has learned exclusively.

At the end of last year, a security researcher shared three Android applications with TechCrunch, claiming that he was probably a government spyware used in Italy against unknown victims. TechCrunch asked Google and Lookout mobile telephony company to analyze the applications and both confirmed that the applications were spyware.

This discovery shows that the world of government spyware is wide, both in the sense of the number of spyware companies and the different techniques used to target individuals.

In recent weeks, Italy has been involved in an ongoing scandal that includes the supposed use of a sophisticated espionage tool made by Israeli maker Spyware Paragon. Spyware is able to target distance WhatsApp and stealing data from their phones and allegedly used against a journalist and two founders of an NGO that helps and rescues immigrants in the Mediterranean.

In the case of the malicious samples of applications shared with TechCrunch, the manufacturer Spyware and its government client used a more pedestrianized technical hacking: development and distribution of malicious applications Android that are pretending to be popular applications such as Whatsapp and Customer Support Tools provided by the mobile phone providers.

Lookout security researchers concluded that the Android spyware shared with TechCrunch is called Spyrtacus, having found the word in the code of an earlier sample of malicious software that appears to refer to malicious software itself.

Lookout told TechCrunch that Spyrtacus has all the features of government spyware. (Researchers from another cyberspace company who independently analyzed Spyware for TechCrunch, but asked not to be named, reached the same conclusion.) Spyrtacus can steal text messages as well as conversations from Facebook Messenger, Signal and whatsapp. Contact contacts. Record phone calls and environmental sound through the device microphone and images through the camera’s cameras. Among other functions that serve surveillance purposes.

According to the Lookout, the SpyRTacus samples provided on TechCrunch, as well as in many other samples of malicious software previously analyzed by the company, were all from SIO, An Italian company selling spyware to Italian government.

Since applications, as well as websites used to distribute them, are in Italian, it is reasonable that spyware was used by Italian law enforcement services.

A spokesman for the Italian government, as well as the Ministry of Justice, did not respond to TechCrunch’s request for comments.

At this point, it is not clear who is aiming for Spyware, according to the lookout and the other security company.

SIO did not respond to multiple requests for comments. TechCrunch also arrived at the president and chief executive of SIO Elio Cattaneo. And many senior executives, including CFO Claudio Pezzano and Cto Alberto Fabbri, but TechCrunch didn’t hear back.

Kristina Balaam, a researcher on the Lookout that analyzed malware, said the company found 13 different specimens of Spyrtacus Spyware in the wild, with the oldest sample of malicious software dating back to 2019 and the latest sample dating from the dating from the October 17, 2024. Other samples, Balaam added, found between 2020 and 2022. Some of the samples mimic applications made by Italian mobile carriers Tim, Vodafone and Windtre, Balaam said.

Google Ed Fernandez’s spokesman said that “based on our current detection, there are no applications that contain this malicious Google Play software”, adding that Android has activated protection for this malicious software from 2022. “Asked if Spyrtacus Spyware’s earlier versions were always at Google’s app store. Fernandez said this is all the information the company has.

Said Kaspersky a report of 2024 That people behind Spyrtacus began to distribute Spyware through Google Play applications in 2018, but by 2019 they changed the hosting of applications to malicious websites to resemble some of Italy’s top internet providers. Kaspersky said his researchers also found a version of Windows of Spyrtacus malicious software and found signs showing the existence of malware for iOS and macos as well.

Pizza, spaghetti and spyware

Italy has hosted for two decades some of the world’s first spyware companies. SIO is the last in a long list of spyware manufacturers whose products have been observed by security researchers as actively targeting people in the real world.

In 2003, the two Italian hackers David Vincenzetti and Valeriano Bedeschi founded the Hacking Startup team, one of the first companies to recognize that there was an international hand market market, easy to use, Spyware systems for law enforcement and government intelligence organizations over the world. The hacking team continued to sell its spyware to agencies in Italy, Mexico, Saudi Arabia and South Korea, among others.

In the last decade, security researchers have found several other Italian companies selling Spyware including Cy4Gate; esurv; Gr sistemi; Neurovolous; Raxirand RCS workshop.

Some of these companies had spyware products that were distributed in a similar way to Spyware Spyware Spyrtacus. Italy’s motherboard was found In a 2018 survey That the Italian Ministry of Justice had a price list and a list showing how authorities can force telecommunications companies to send malicious text messages to surveillance targets to deceive the person to install a malicious application on the pretext of keeping their phone service Active, for example, for example.

In the case of CY4GATE, The motherboard was found in 2021 That the company made fake WhatsApp apps to deceive the goals for installing its spyware.

There are many elements that show SIO as the company behind Spyware. Lookout found that some of the command and control servers used to control malware were registered with a company called Asigint, a subsidiary of SIO, according to a public available to the public SIO Since 2024, which says Asigint has been developing software and services related to the phone device.

The Legal Academy of Intercept, an independent Italian organization that issues conformity certifications for Spyware manufacturers operating in the country, lists SIO as a certificate holder For a spyware product called Sioagent and records Asigint as a product owner. In 2022, Intelligence Intelligence online monitoring and trade trade referenced This SIO had acquired Asigint.

Michele Fiorentino is Asigint’s chief executive and is based in the Italian city of Caserta, except for Naples, according to LinkedIn’s profile. Fiorentino says he worked on the “Spyrtacus project”, while another company is called Dataforense between February 2019 and February 2020, implying that the company was involved in the development of Spyware.

Another command and control server associated with Spyware software is registered with Dataforense, according to Lookout.

Dataforense and Fiorentino did not respond to a request for comments sent by email and LinkedIn.

According to the LOOKOUT and the other cyberspace company, there is a series of source code in one of the specimens of Spyrtacus that shows the developers that may be from the Naples area. The source code includes the words “Scetáteve Guagliune” e malavita, a phrase in the neapolitan dialect that translates to “Wake Up Boys of the Underworld”, which is part of the lyrics of traditional Neapolite song “Guapparia.”

This would not be the first time that Italian manufacturers of Spyware left traces of their origin on their spyware. In the case of Esurv, One Defunct Spyware Manufacturer from the southern area of ​​Calabria Exposed to get infected with innocent people in 2019, its developers left the words “Mundizza”, the word Calabrian for garbage, as well as reference to the name of footballer Calabrian, Gennaro Gattuso.

While these are small details, all signs show SIO as behind this spyware. However, there are questions about the campaign, including the government client behind the use of Spyrtacus spyware and against which.