Italian Spyware Firm IPS Exposed for Distributing Malicious Android Apps
In a recent revelation, Italian digital rights organization Osservatorio Nessuno has uncovered a new spyware, dubbed Morpheus, which masquerades as a phone updating application. This malicious software is capable of extracting a wide array of data from targeted devices, raising significant concerns about privacy and security.
The investigation links Morpheus to IPS, an Italian company with over three decades of experience in providing lawful interception technologies to governments. Traditionally, such technologies enable authorities to monitor real-time communications through telecom networks. However, the discovery of Morpheus indicates that IPS has expanded its offerings to include more intrusive surveillance tools.
According to IPS’s official website, the company operates in more than 20 countries and lists several Italian police forces among its clientele. Despite these affiliations, IPS has not responded to requests for comments regarding the Morpheus spyware.
Morpheus is characterized as low-cost spyware due to its reliance on social engineering tactics to infect devices. Unlike sophisticated zero-click attacks employed by firms like NSO Group and Paragon Solutions, which exploit vulnerabilities to install malware without user interaction, Morpheus requires the target to manually install the malicious app.
The infection process involves collaboration with the target’s mobile service provider. Initially, the provider deliberately disrupts the target’s mobile data service. Subsequently, the target receives an SMS prompting them to download an application purportedly designed to restore data connectivity. Unbeknownst to the user, this app is the Morpheus spyware. This method mirrors tactics previously documented in cases involving other Italian spyware manufacturers.
Once installed, Morpheus exploits Android’s accessibility features to gain extensive control over the device. It can read on-screen data, interact with other applications, and access a comprehensive range of personal information. The spyware initiates a fake system update, displays a reboot screen, and even mimics the WhatsApp interface, prompting the user to provide biometric authentication. This deceptive process grants the spyware full access to the user’s WhatsApp account by adding a new device to the account—a strategy previously observed in government hacking campaigns in Ukraine and Italy.
An Established Company Ventures into Spyware
Osservatorio Nessuno’s researchers, identified only as Davide and Giulio, have traced Morpheus back to IPS by analyzing the spyware’s infrastructure. Notably, one of the IP addresses associated with the campaign is registered to IPS Intelligence Public Security. Additionally, the malware’s code contains Italian phrases, including references to Gomorra, a well-known book and TV series about the Neapolitan mafia, and spaghetti, suggesting a cultural connection to Italy.
While the specific targets of Morpheus remain undisclosed, the researchers believe the attack is linked to political activism in Italy—a domain where such targeted attacks have become increasingly common.
A cybersecurity firm, which has been monitoring this particular malware, corroborated the findings, confirming that the spyware is indeed developed by an Italian surveillance technology company.
IPS joins a growing list of Italian spyware manufacturers that have emerged following the decline of Hacking Team, one of the pioneering companies in the spyware industry. Other Italian firms exposed in recent years include CY4GATE, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and SIO.
Earlier this month, WhatsApp notified approximately 200 users who had installed a counterfeit version of the app, which was, in reality, spyware developed by SIO. In 2021, Italian prosecutors suspended the use of spyware from CY4GATE and SIO due to significant malfunctions.
