1. Morpheus spyware infects Android devices via fake update apps, requiring victim cooperation and specific manipulation of telecom providers.
2. The malware abuses Android accessibility permissions and simulates system updates and messaging interfaces to gain full access to messages and contacts.
3. The operation is linked to Italian surveillance vendor IPS, targeting political activists, and highlights vulnerabilities in social engineering tactics.
4. Users should be cautious of suspicious SMS messages prompting app updates, especially when mobile data is unexpectedly cut off.
A new spyware operation has been discovered that cleverly uses fake Android update apps to spy on users, but it needs the cooperation of the victim’s own mobile provider, making it different from other common attacks. This campaign involves tricking the target into installing a malicious app while the telecom provider is secretly helping to block the victim’s data at the same time.
Spyware Details and Infection Process
The malware, called Morpheus, was found by an Italian digital rights group called Osservatorio Nessuno, who shared their findings in a report published on April 24. The spyware is considered low-cost because it relies on social engineering tactics, like convincing someone to install something dangerous, rather than exploiting technical flaws like zero-click vulnerabilities used by more sophisticated tools such as Pegasus. The entire attack hinges on the target manually installing the malicious app, but the methods used to get them there are carefully planned and well documented.
The Method of Attack
First, the targeted person’s mobile data is deliberately cut off by their service provider, working closely with authorities to deploy the spyware. After their data gets cut, they receive an SMS message telling them to install a certain app to restore their network connection and to update their phone. The app in question is actually the spyware, hidden in plain sight. Once the app is installed, Morpheus exploits Android’s accessibility permissions, which normally allow apps to read what’s on the screen and interact with other apps. It then shows a fake system update screen and prompts for a reboot, making the user think they’re just updating their device.
Fake Updates and WhatsApp Spoofing
Once freshly rebooted, Morpheus creates a fake WhatsApp interface, pretending to check the user’s account. It then asks for biometric verification, claiming that a normal account check is taking place. But in reality, tapping on the biometric prompt unknowingly gives the spyware permission to add a new device to the users WhatsApp account. This grants Morpheus full access to their messages, contacts, and chats, without them suspecting a thing. Language clues, like Italian code snippets and cultural hints in the malware, suggest it’s tailored for Italian targets.
Connections with Italian Surveillance Companies
The organization Osservatorio Nessuno linked Morpheus to a company called IPS, which is based in Italy and has over three decades of experience in providing lawful interception technology to police and intelligence agencies. IPS operates across more than 20 countries and has several Italian police forces as clients. Although no specific individuals were named, experts think political activists and other high-profile targets might have been targeted with this spyware, further illustrating the growing concern about surveillance tools sold by Italian firms like IPS, CY4GATE, eSurv, RCS Lab, and SIO. It’s notable that in April 2026, WhatsApp warned 200 of its users about fake versions of the app that contained spyware linked to SIO.
Precautions and Detection
It’s important to note this spyware doesn’t spread through the Google Play Store and cannot install itself without user action. It requires the target to manually download and install an APK file outside from official sources. So, any suspicious SMS claiming to offer a system update, especially if the user unexpectedly loses mobile data along with that message, should be considered dangerous. Android’s accessibility permissions are very powerful and should never be handed out to an app received through a text message link—it’s a common way for malware to gain extensive control over the device.
Other Recent Threats
Recently, security experts also caught a different threat actor impersonating IT support staff on Microsoft Teams, tricking employees into installing custom malware that could compromise corporate networks. These types of threats remind us that cyber attackers are constantly developing new tricks to steal data and control devices, requiring users to stay vigilant and cautious about unexpected messages and updates.
For more insights on cyber threats and spyware operations, visit osservatorionessuno.org or follow recent reports from cybersecurity analysts.