Recent investigations have unveiled a troubling connection between the spyware known as Spyrtacus and the Italian developer SIO, a company that has been known to supply its products to the Italian government. At least three Android applications, which masquerade as popular services such as WhatsApp and various phone carrier support tools, have been identified as spyware. The alarming discovery was first raised by an anonymous security researcher in late 2024, prompting TechCrunch to alert both Google and cybersecurity firm Lookout. Both organizations confirmed the presence of malicious code embedded within these applications.
SIO’s Spyrtacus spyware
The connection between SIO and Spyrtacus is intricate, yet researchers have managed to trace a paper trail back to the company. According to insights shared with TechCrunch, several command-and-control (C2) servers have been linked to ASIGINT, a former startup that now operates as a subsidiary of SIO, specializing in the development of “computer wiretapping” software. Notably, Italy’s Lawful Intercept Academy lists SIO as the cert holder for a product named SIOAGENT, which is owned by ASIGINT.
Adding to the complexity, ASIGINT’s CEO, Michele Fiorentino, acknowledged on LinkedIn his involvement in the ‘Spyrtacus Project’ at DataForense, another company associated with SIO’s C2 servers. Kristina Balaam, a researcher at Lookout, has identified a total of 13 samples of Spyrtacus, dating from 2019 to October 2024. However, Ed Fernandez, a spokesperson for Google, expressed confidence that “no apps containing this malware [can currently be] found on Google Play,” noting that protective measures against Spyrtacus have been in place since 2022.
Despite these assurances, the distribution of Spyrtacus appears to have shifted tactics. A 2024 report from Kaspersky, a well-known antivirus software company, indicated that the spyware has largely transitioned from Google Play to deceptive replicas of Italian internet service provider websites.
The Italian government has a troubling history when it comes to facilitating spyware manufacturers. In February 2025, Israeli spyware developer Paragon Solutions terminated its contract with the Italian government after being caught breaching the ethical framework established to protect citizens’ privacy. This incident is compounded by revelations that Italian telephone operators have engaged in surveillance activities, receiving compensation from the Italian justice ministry for their services. This backdrop raises significant concerns, particularly in light of the long-standing presence of spyware companies such as Hacking Team, Cy4Gate, RCS Lab, and Raxir in Italy over the past two decades.
