A new report from the Italian digital rights organization Osservatorio Nessuno has uncovered a sophisticated surveillance campaign involving a malware strain dubbed “Morpheus.” The findings reveal a troubling trend: government-linked entities are increasingly using deceptive, “low-cost” social engineering tactics to bypass mobile security.
Зміст
The Anatomy of a Deception
Unlike the high-end “zero-click” exploits used by elite firms like NSO Group—which can infect a phone without the user ever touching it—Morpheus relies on social engineering. It tricks the user into voluntarily installing the malware through a series of calculated psychological maneuvers:
- Service Disruption: The target’s mobile data is deliberately blocked, often with the cooperation of a telecommunications provider.
- The Fake Fix: The victim receives an SMS prompting them to install a “phone update” app to restore their data connection.
- The Biometric Trap: After a fake reboot, the malware spoofs a WhatsApp prompt, asking for biometric authentication (fingerprint or face ID). Once the user complies, the spyware gains full access to their WhatsApp account by registering a new device.
- Total Access: Once installed, Morpheus abuses Android’s accessibility features, allowing it to read everything on the screen and interact with other applications.
Connecting the Dots to IPS
Researchers Davide and Giulio linked Morpheus to IPS, an Italian company with a 30-year history in “lawful interception” technology. While IPS has traditionally focused on capturing real-time communications through network providers, this report suggests they have expanded into stealthy mobile spyware—a product line that was previously unknown to the public.
The connection was solidified through technical evidence:
– Infrastructure: One of the IP addresses used in the attack was registered to “IPS Intelligence Public Security.”
– Digital Fingerprints: Code fragments within the malware contained Italian phrases, including humorous or culturally specific references like “spaghetti” and “Gomorra” (a nod to the famous Neapolitan crime drama).
A Growing Italian Surveillance Ecosystem
This discovery highlights a significant shift in the global surveillance market. Following the collapse and rebranding of the once-dominant Hacking Team, a fragmented but highly active ecosystem of Italian spyware developers has emerged.
The report identifies a growing list of local players, including CY4GATE, eSurv, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and SIO. This proliferation suggests that the demand for surveillance tools among law enforcement and intelligence agencies is so high that it has birthed a specialized, highly competitive industry.
“This type of targeted attack is very common nowadays,” the researchers noted, suggesting the Morpheus campaign was likely aimed at political activists within Italy.
Why This Matters
The shift toward “low-cost” spyware is significant because it lowers the barrier to entry for state surveillance. While “zero-click” attacks are expensive and difficult to maintain, social engineering—combined with the cooperation of telecom providers—is a highly effective and much cheaper way for authorities to monitor targets. This creates a massive vulnerability for anyone engaged in political activism or sensitive journalism.
In summary, the emergence of Morpheus demonstrates how state actors are moving away from expensive technical exploits in favor of deceptive, human-centric attacks to bypass modern smartphone security.
