Italian Spyware Maker IPS Exposed for Distributing Fake Android Surveillance Apps

Another Italian spyware maker has been caught in the act, this time distributing fake Android apps to install surveillance software on unsuspecting targets. A new report from Osservatorio Nessuno, an Italian digital rights organization, reveals how the company IPS used a deceptive phone-updating app to deploy its Morpheus spyware.

The discovery highlights the growing demand for spyware among law enforcement and intelligence agencies worldwide. As a result, numerous companies are quietly supplying these tools, often operating far from public scrutiny.

How the Morpheus Spyware Works

According to the researchers, Morpheus is a “low cost” spyware that relies on tricking victims into installing it themselves. Unlike advanced spyware from firms like NSO Group or Paragon Solutions, which use invisible zero-click attacks, Morpheus depends on social engineering.

In this case, the target’s mobile provider deliberately blocked their data connection. Then, the telecom sent an SMS urging the victim to install a fake app to restore cellular access. This strategy has been documented in other cases involving Italian spyware makers.

Once installed, the malware abused Android’s accessibility features to read screen data and interact with other apps. It then prompted a fake update, showed a reboot screen, and spoofed WhatsApp to request biometric authentication. Unbeknownst to the target, this granted the spyware full access to their WhatsApp account.

IPS: An Old Company with a New Spyware Product

Osservatorio Nessuno’s researchers, identified only as Davide and Giulio, linked the spyware to IPS based on its infrastructure. One IP address was registered to “IPS Intelligence Public Security.” Additionally, the malware code contained Italian phrases, including references to Gomorra and “spaghetti” — a common trait among Italian spyware makers.

IPS has operated for over 30 years, providing traditional lawful interception technology to governments. Its website lists several Italian police forces as customers and claims operations in more than 20 countries. However, the company did not respond to requests for comment about the spyware report.

The Target: Political Activism in Italy

Davide and Giulio could not reveal specific details about the target but believe the attack is “related to political activism” in Italy. They noted that such targeted attacks are increasingly common in this sphere.

A researcher at a cybersecurity firm, who reviewed the report, confirmed that the malware was definitely developed by an Italian surveillance tech maker. This aligns with a broader trend of Italian firms filling the void left by Hacking Team, one of the first spyware makers globally.

The Rise of Italian Spyware Makers

IPS joins a long list of Italian spyware makers exposed in recent years, including CY4GATE, eSurv, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and SIO. Earlier this month, WhatsApp notified around 200 users who installed a fake version of the app, which was actually spyware made by SIO.

In 2021, Italian prosecutors suspended their use of CY4GATE and SIO spyware due to serious malfunctions. This pattern raises questions about the oversight and regulation of surveillance technology in Italy and beyond.

Building on these findings, it’s clear that the demand for government spyware continues to drive innovation in deception tactics. For more insights, explore our guide on how to protect Android from spyware. Additionally, learn about understanding lawful interception technology to grasp the legal landscape.

In conclusion, the exposure of IPS demonstrates that even established companies are turning to covert methods to meet the demands of law enforcement. As a result, users must remain vigilant against fake apps and suspicious messages, especially those claiming to fix network issues.