Italian spyware maker SIO has been exposed as the creator of a series of malicious Android apps that impersonate popular apps like WhatsApp, stealing private data from unsuspecting targets. This revelation comes after a security researcher shared three Android apps with TechCrunch, claiming they were likely government spyware used in Italy against unknown victims.

Google and mobile security firm Lookout analyzed the apps, confirming they were indeed spyware. The discovery highlights the breadth of the government spyware industry, with multiple companies developing spyware using various techniques to target individuals. In recent weeks, Italy has been embroiled in a scandal involving the alleged use of a sophisticated spying tool made by Israeli spyware maker Paragon, capable of remotely targeting WhatsApp users and stealing data from their phones.

The malicious app samples shared with TechCrunch were found to be part of a spyware package called Spyrtacus, which has all the hallmarks of government spyware. Spyrtacus can steal text messages, chats from Facebook Messenger, Signal, and WhatsApp, exfiltrate contacts information, record phone calls and ambient audio via the device's microphone, and imagery via the device's cameras, among other surveillance functions. Lookout concluded that the Spyrtacus samples were made by SIO, an Italian company that sells spyware to the Italian government.

The apps, as well as the websites used to distribute them, are in Italian, suggesting that the spyware was used by Italian law enforcement agencies. However, it is unclear who was targeted with the spyware. A spokesperson for the Italian government and the Ministry of Justice did not respond to TechCrunch's request for comment. SIO also did not respond to multiple requests for comment.

Kristina Balaam, a researcher at Lookout, analyzed the malware and found 13 different samples of the Spyrtacus spyware in the wild, with the oldest malware sample dating back to 2019 and the most recent sample dating back to October 17, 2024. Some of the samples impersonated apps made by Italian cellphone providers TIM, Vodafone, and WINDTRE. Google said that no apps containing this malware are found on Google Play, and Android has enabled protection for this malware since 2022.

Kaspersky reported in 2024 that the people behind Spyrtacus began distributing the spyware through apps in Google Play in 2018 but switched to hosting the apps on malicious web pages made to look like some of Italy's top internet providers by 2019. Kaspersky also found a Windows version of the Spyrtacus malware and signs pointing to the existence of malware versions for iOS and macOS.

Italy has a long history of hosting government spyware companies. SIO is the latest in a list of spyware makers whose products have been observed targeting people in the real world. In 2003, two Italian hackers founded Hacking Team, one of the first companies to recognize the international market for turnkey, easy-to-use spyware systems for law enforcement and government intelligence agencies.

In the last decade, security researchers have found several other Italian companies selling spyware, including Cy4Gate, eSurv, GR Sistemi, Negg, Raxir, and RCS Lab. Some of these companies had spyware products distributed in a similar way to the Spyrtacus spyware. Motherboard Italy found in 2018 that the Italian justice ministry had a price list and catalog showing how authorities can compel telecom companies to send malicious text messages to surveillance targets with the goal of tricking the person into installing a malicious app.

Lookout found that some of the command-and-control servers used for remotely controlling the malware were registered to a company called ASIGINT, a subsidiary of SIO. The Lawful Intercept Academy, an independent Italian organization, lists SIO as the certificate holder for a spyware product called SIOAGENT and lists ASIGINT as the product's owner. In 2022, surveillance and intelligence trade publication Intelligence Online reported that SIO had acquired ASIGINT.

Michele Fiorentino, the CEO of ASIGINT, worked on the "Spyrtacus Project" while at another company called DataForense between February 2019 and February 2020, implying that the company was involved in the development of the spyware. Another command and control server associated with the spyware is registered to DataForense.

The investigation highlights the complexity and reach of the government spyware industry, with multiple companies and techniques used to target individuals. As the use of spyware continues to evolve, it is essential to stay vigilant and hold companies and governments accountable for their actions.