WhatsApp Alerts 200 Users to Fake Spyware App

In a recent security incident, WhatsApp proactively identified and alerted roughly 200 users, most located in Italy, that they had been deceived into installing a malicious counterfeit version of its messaging application. This fake app was in fact government spyware developed by the Italian surveillance firm SIO through its subsidiary ASIGINT. The company took steps to log the affected users out of their accounts, warned them of the privacy risks, and instructed them to delete the fraudulent client and install the official app from a trusted source. WhatsApp also stated its intention to issue a formal legal demand to SIO, compelling it to cease all malicious activity associated with this campaign.

This disclosure, initially reported by Italian media, represents the second instance in just over a year where WhatsApp has publicly identified a spyware vendor targeting its users in Italy. Early last year, the platform notified around 90 individuals, including journalists and activists, that they were targeted by the U. S.-Israeli firm Paragon Solutions and its Graphite spyware, which was used by Italian intelligence services. That revelation caused a political crisis, leading to parliamentary oversight and Paragon ultimately severing ties with Italian agencies.

The malware in this latest case, identified in its code as Spyrtacus, employs a different model, embedding itself within fake applications designed to mimic legitimate software. Researchers have cataloged over a dozen samples of this spyware dating back to 2019, with recent versions impersonating apps from Italian telecom providers and, now, a counterfeit iOS WhatsApp client. Once installed, Spyrtacus can harvest text messages, chat histories, and call logs, and can even activate the device’s microphone and camera for audio and video recording.

The delivery mechanism for this spyware is particularly concerning. In Italy, authorities often obtain cooperation from mobile carriers, who then send phishing links disguised as routine update notifications to their own customers. This system, documented in a justice ministry catalogue, effectively transforms the mobile network into a distribution channel for state surveillance. The cost is strikingly low, with law enforcement able to rent such tools for as little as €150 per day, bypassing the large upfront costs that limit deployment elsewhere.

Italy has become an unusual spyware hub among Western democracies, hosting several surveillance technology companies. This is facilitated by a legal framework that provides a statutory basis for the “captatore informatico,” or state-sanctioned trojan software. Experts note that spyware is deployed more frequently in Italy than elsewhere in Europe because its low cost and permissive regulations make it accessible to a wide array of law enforcement bodies, including municipal police forces, not just national intelligence agencies.

WhatsApp has not confirmed whether the affected users include journalists or civil society members, emphasizing that its priority is protecting those tricked into downloading the fake iOS app. The company did not specify if it has referred the matter to Italian prosecutors. Apple and SIO did not respond to requests for comment.

The legal environment surrounding commercial spyware has evolved significantly. Last May, a California jury ordered NSO Group to pay WhatsApp substantial damages for enabling hacks, a verdict later adjusted by a judge who also imposed a permanent injunction. Meta described the outcome as a landmark, and WhatsApp’s planned legal action against SIO follows this strategy of using litigation and public disclosure as deterrents against companies that compromise encrypted platforms.

This challenge extends beyond any single company. Apple has sent threat notifications to users in over 150 countries regarding state-sponsored attacks. The notification systems operated by Apple and WhatsApp have become primary avenues for victims to learn they have been compromised, a role once filled solely by cybersecurity researchers.

The global lawful-interception market is projected to grow dramatically, driven not by sophisticated zero-click exploits but by affordable, phishing-based tools like those SIO sells. This has lowered the barrier to entry for government surveillance, enabling local police departments to access capabilities once reserved for national agencies. European regulatory frameworks have struggled to keep pace with this rapid adoption.

What distinguishes the SIO case from the Paragon scandal is the method. While Graphite used zero-click exploits requiring no user interaction, Spyrtacus relies on social engineering, tricking users into installing a fake app. The involvement of telecom companies in the delivery chain, sending phishing messages at the state’s request, turns the basic mobile infrastructure into a surveillance tool.

By publicly naming SIO and notifying users, WhatsApp is positioning itself as a counterweight to state surveillance in a way that was uncommon a decade ago. This approach goes beyond patching vulnerabilities to actively identifying vendors, alerting victims, and threatening legal action. It raises complex questions about whether a private messaging platform has become a more effective check on government spyware abuse than existing regulatory bodies.

For the notified users in Italy, pressing questions remain about who authorized the surveillance and under what legal basis. Answers may never be public. Italy’s lawful-intercept framework allows for judicial oversight, but past scandals have shown these mechanisms can be inadequate to prevent abuse. The SIO case indicates a deeper problem, extending to cheaper tools and a distribution model that exploits the trust citizens place in their mobile carriers. The spyware industry does not always need advanced exploits to be effective, sometimes it just needs a convincing notification from your phone company.