Morpheus is a new spyware identified by the nonprofit organization Osservatorio Nessuno, which spreads through counterfeit Android applications that appear as legitimate updates. Attackers use SMS messages to direct victims to a fraudulent website mimicking an Internet Service Provider (ISP). The spyware installs a dropper app that deploys a concealed payload, which disguises itself as legitimate system components and manipulates users into granting dangerous permissions, including Accessibility access.
Once granted, Morpheus initiates a Permission Workflow that creates a fake update overlay, disabling the touchscreen to prevent user interaction. It ensures persistence by restarting after device reboots and can request device administrator privileges. The spyware exploits overlay windows and Accessibility features to gain control of the device and bypass security measures, including disabling antivirus solutions without requiring root access.
Analysis suggests Morpheus has Italian origins, with connections to an Italian firm, IPS Intelligence, known for lawful interception technologies. The spyware is capable of invasive actions such as recording audio and video, linking to WhatsApp, and compromising device security. The report highlights a network of dubious companies and shared contacts linked to the spyware's distribution.
The Italian digital rights organization Osservatorio Nessuno has revealed a new malware called Morpheus, used by government agencies for surveillance. Morpheus is disguised as a phone updating application and can extract various data from targets' devices. The spyware is linked to IPS, an Italian firm specializing in lawful interception technologies, which claims to operate in over 20 countries. Morpheus is categorized as "low cost" due to its straightforward infection method, which involves tricking targets into installing the software. Authorities collaborated with the target's mobile service provider to obstruct data and send an SMS prompting the installation of the malware. Once installed, Morpheus exploits Android's accessibility features to access extensive information and masquerades as the WhatsApp application to solicit biometric data. The spyware's code contains Italian phrases and references to "Gomorra," indicating its connection to the Italian spyware industry. The attack is likely linked to political activism in Italy. IPS is among several Italian spyware manufacturers that have emerged following the decline of Hacking Team.
The Indian government has decided to abandon a proposal that would have required the pre-installation of the Aadhaar biometric ID app on smartphones from major manufacturers like Apple and Samsung. This decision was announced by the Unique Identification Authority of India (UIDAI) after significant pushback from the tech industry. Concerns raised by manufacturers included device security, compatibility issues, and increased production costs due to the need for separate manufacturing lines for the Indian market. The Ministry of Information Technology expressed reluctance to enforce the requirement, and UIDAI confirmed that the government is not in favor of mandating the app's pre-installation.
Researchers at Cyble Research and Intelligence Labs (CRIL) have discovered an Android malware framework called MiningDropper, which is being used in various campaigns to distribute malicious payloads such as cryptocurrency miners, infostealers, Remote Access Trojans (RATs), and banking malware. Over 1,500 MiningDropper samples were detected in one month, with many showing minimal antivirus detection.
MiningDropper operates as a multi-stage delivery framework that employs techniques like XOR-based obfuscation and AES encryption to evade detection. A recent variant uses a trojanized version of the Lumolight application as the initial infection vector, often spread through phishing links and fraudulent websites. The malware executes a series of stages, starting with decrypting an embedded asset and loading additional payloads, including a counterfeit Google Play update interface to deceive users.
Two main campaign clusters have been identified: an infostealer campaign targeting Indian users by impersonating trusted entities, and a global campaign distributing the BTMOB RAT, which enables credential theft and device takeover. The final payload capabilities include extracting sensitive data, enabling full device compromise, facilitating financial fraud, and unauthorized cryptocurrency mining. MiningDropper's modularity allows it to adapt and scale across various campaigns while maintaining low detection rates.
Norton, owned by Gen Digital, provides antivirus software, VPN services, and identity theft monitoring to protect users from cyber threats such as malware and phishing attacks. The company emphasizes subscription-based revenue through Norton 360, which bundles various security features, ensuring predictable cash flow. Norton competes with other antivirus brands like McAfee and Bitdefender, maintaining a strong market share in North America due to its established brand trust. The demand for cybersecurity tools is driven by rising cyber threats, including ransomware attacks and increased remote work, which necessitate robust online protection. Gen Digital is investing in AI-driven threat detection and expanding its offerings to address evolving security needs. However, Norton faces challenges from free alternatives, potential privacy concerns, and macroeconomic pressures that could affect consumer spending on security products.
The MAX messaging platform has been introduced in Russia as a "national messenger" to replace foreign applications like Telegram and WhatsApp, which face restrictions. Owned by VK, MAX has over 100 million users and is expanding its reach internationally. There are concerns about data privacy, with critics fearing that security services could access user information. Some users feel pressured to use MAX for communication with institutions and services, raising questions about its voluntary adoption. The public reaction is mixed, with some supporting a domestically controlled system while others prefer existing platforms. Experts in the telecom sector express skepticism about the platform's maturity and trustworthiness. The situation reflects a broader trend of increased control over online communication in Russia.
The FBI issued alerts regarding cyber campaigns by Russian and Iranian actors targeting messaging platforms. Russian intelligence services are reportedly infiltrating applications like Signal, leading to unauthorized access of thousands of accounts of U.S. government officials, military personnel, political figures, and journalists. Russian operatives are using phishing messages disguised as support notifications to trick users into providing verification codes or account PINs, potentially allowing attackers to take over accounts. Once compromised, attackers can access messages, contact lists, and launch further phishing attempts. The advisory emphasizes that while Signal is targeted, similar tactics can affect any messaging app.
In a separate alert, the FBI highlighted Iran’s Ministry of Intelligence and Security (MOIS) using Telegram to distribute malware aimed at Iranian dissidents and journalists, enabling them to steal sensitive information. This malware often disguises itself as legitimate software and connects to Telegram bots for remote access and data exfiltration. The FBI linked these activities to the Handala Hack group, which claimed responsibility for a recent attack on medical device manufacturer Stryker. The malware can be introduced through social media by hackers posing as technical support. Experts note that the use of Telegram for cyber compromises is increasing, as it helps malicious actors avoid detection by blending their traffic with trusted platforms.
The Max application was launched by VK in 2025, raising concerns about potential government surveillance and a separation from Western digital services. The app combines social media, messaging, and government services, including a digital ID and banking, and is being promoted as a "secure" platform by President Vladimir Putin, who aims for "technological sovereignty." Since September, Max has been pre-installed on devices sold in Russia and is included on a "white list" of services operational during internet blackouts. Initially available only to users with Russian or Belarusian SIM cards, it now supports English and phone numbers from 40 "friendly" countries but is not available in the EU or Ukraine. Public sentiment is mixed, with some individuals feeling forced to use it for communications, while others have concerns about privacy and data security. Max does not offer end-to-end encryption, and user data is stored on Russian servers. The app's introduction is part of Russia's strategy for a "sovereign internet," with increased regulatory authority to monitor online activities.
MTS, a major mobile operator in Russia, has reclassified virtual private networks (VPNs) as equivalent to torrent services, imposing a daily fee of up to 87 rubles for users who wish to engage in private browsing. Traffic routed through VPNs will no longer be included in standard service packages, leading to additional charges for accessing blocked resources or securing connections. The new tariff structure charges users based on their region and plan, with fees ranging from 80 to 87 rubles per day for a quota of five gigabytes of specialized traffic. Users can block this service to avoid charges, resulting in the complete unavailability of VPN connections. This policy is seen as a response to pressures for new monetization strategies and aligns with government efforts to limit internet circumvention. The potential for other major telecom operators to adopt similar practices could impact net neutrality in Russia.
![[Industry news] P3 Partners with Inlogic to Bring New Android-powered Games to SPARQ OS In-Vehicle Infotainment Platform](https://newapp.site/wp-content/uploads/2026/05/industry-news-p3-partners-with-inlogic-to-bring-new-android-powered-games-to-sparq-os-in-vehicle-infotainment-platform-768x429.png)
