In a recent revelation, the Italian digital rights organization Osservatorio Nessuno has unveiled a new form of malware dubbed Morpheus, which is being utilized by government agencies to conduct surveillance. This spyware, disguised as a phone updating application, is adept at extracting a wide array of data from the devices of unsuspecting targets.
The report highlights a growing trend: the insatiable demand for spyware among law enforcement and intelligence entities has led to an influx of companies offering such technologies, many of which operate under the radar. Osservatorio Nessuno’s investigation links Morpheus to IPS, an Italian firm with over three decades of experience in providing lawful interception technologies. These tools enable governments to capture real-time communications traversing the networks of telecommunications and internet providers.
IPS claims to operate in more than 20 countries, although this figure likely does not pertain to its spyware offerings, which have remained largely undisclosed until now. The company’s clientele includes various Italian police forces, yet it has not responded to inquiries from TechCrunch regarding the report.
Morpheus: A Low-Cost Spyware Solution
Researchers have categorized Morpheus as “low cost” spyware, primarily because it employs a straightforward infection method that relies on deceiving targets into installing the software themselves. This contrasts sharply with more sophisticated spyware solutions from companies like NSO Group and Paragon Solutions, which utilize zero-click attacks to stealthily implant malware by exploiting elusive vulnerabilities in devices.
In this instance, the authorities appeared to have collaborated with the target’s mobile service provider, which intentionally obstructed the target’s mobile data. Subsequently, the telecom provider sent an SMS urging the target to install an app purportedly designed to facilitate a phone update and restore cellular data access. This tactic mirrors strategies documented in other cases involving Italian spyware developers.
Once installed, Morpheus exploits Android’s built-in accessibility features, allowing it to read the target’s screen data and interact with other applications. The malware is engineered to harvest extensive information from the device.
Upon installation, the spyware prompts a fake update, displays a reboot screen, and ultimately masquerades as the WhatsApp application, soliciting the target’s biometric data for verification. Unbeknownst to the target, this biometric input grants the spyware unfettered access to their WhatsApp account by adding a device to it. This method has been previously observed in government hacking operations in Ukraine and in recent surveillance campaigns in Italy.
Osservatorio Nessuno’s researchers, identified only as Davide and Giulio, assert that their analysis of the spyware’s infrastructure confirms its association with IPS. Notably, one of the IP addresses linked to the campaign is registered to “IPS Intelligence Public Security.” Furthermore, the researchers discovered fragments of code containing Italian phrases, a hallmark of the Italian spyware industry. The malware’s code included references to “Gomorra,” the acclaimed book and television series centered on the Neapolitan mob, alongside playful mentions of “spaghetti.”
While the researchers refrained from disclosing the specific target, they suggested that the attack is likely connected to political activism in Italy, a context where such targeted assaults have become increasingly prevalent.
A cybersecurity expert, upon reviewing the Osservatorio Nessuno report, confirmed that the malware is indeed developed by an Italian surveillance technology provider. IPS joins a lengthy roster of Italian spyware manufacturers that have emerged to fill the gap left by the now-defunct Hacking Team, once a dominant player in the global spyware market before its downfall. In recent years, numerous Italian spyware companies, including CY4GATE, eSurv, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and most recently SIO, have been publicly scrutinized for their activities.
Earlier this month, WhatsApp alerted approximately 200 users who had inadvertently installed a counterfeit version of the app, which was, in fact, spyware developed by SIO. In 2021, Italian prosecutors halted the use of spyware from CY4GATE and SIO due to significant operational flaws.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
