Spyware Manufacturer Exposed for Distributing Malicious Apps on Android for Years.

A recent study has revealed that the Italian firm SIO, known for selling spy software to governmental entities, is behind several malicious applications for Android that disguise themselves as popular apps like WhatsApp. These malicious programs have the ability to steal private information from users' devices. Late last year, a security researcher shared with a media outlet three Android applications suspected to be government espionage tools used in Italy against still unidentified victims.

Analysis conducted by Google and the mobile security company Lookout confirmed that these applications were indeed spyware. This finding highlights the extent of the government spyware landscape, both in terms of the companies involved in its development and the diverse techniques employed to target individuals. In recent weeks, Italy has been at the center of a scandal involving sophisticated spyware from the Israeli company Paragon, which is also capable of targeting WhatsApp users and stealing information from their phones.

In contrast to this advanced tool, the malware attributed to SIO uses a more basic hacking technique: the development and distribution of Android applications that present themselves as commonly-used apps, including customer service for phone operators. Lookout researchers identified the spyware as Spyrtacus, based on the occurrence of the term within the code of previous malware samples.

Spyrtacus has the capability to steal text messages, as well as interactions in apps such as Facebook Messenger, Signal, and WhatsApp; exfiltrate contact information; record calls and ambient audio through the device's microphone, among other surveillance functions. According to Lookout, all samples of Spyrtacus that were analyzed were created by SIO, whose clientele includes Italian governmental entities, as suggested by the Italian language used in the applications and on the distribution websites.

The lack of response from representatives of the Italian government and the Ministry of Justice regarding requests for comments on these claims has raised further concerns. Despite interest in knowing who the target of the spyware was, security analysts have been unable to clarify this information.

Lookout's analysis also found that SIO has a history in the spyware industry. Founded in an environment where several Italian companies dedicated to this sector have emerged, SIO adds to a long list of developers that have operated in the country, with the potential of having distributed spyware to various governmental agencies.

The investigation highlights that some of the malware control infrastructures are linked to a SIO subsidiary called ASIGINT, which specializes in software and services related to communication interception. The origins of Spyrtacus's development can likely be traced back to the Naples region, evidenced by a phrase in the Neapolitan dialect found in the spyware's code, suggesting a possible regional link.

While the evidence points to SIO as the company behind this spyware, questions remain about the governmental client that used Spyrtacus and the specific targets of this campaign.