The Italian spyware manufacturer SIO has been identified as the developer behind a persistent campaign of malicious Android applications designed to compromise private data. Disguised as legitimate tools, including WhatsApp and various cellular provider support apps, the malware has been actively targeting individuals for years, according to exclusive findings.
Security researchers at Lookout, alongside an independent cybersecurity firm, confirmed that the malicious software—dubbed “Spyrtacus”—possesses the full suite of capabilities expected from government-grade surveillance tools. These include the extraction of text messages, interception of encrypted chats from Signal and Facebook Messenger, remote microphone and camera activation, and contact exfiltration.
The Mechanics of Spyrtacus
The campaign relies on a “pedestrian” but highly effective distribution strategy: tricking users into downloading fake applications via malicious websites that mimic reputable services. Kristina Balaam, a researcher at Lookout, identified 13 distinct samples of the malware circulating in the wild, with origins dating back to 2019 and the most recent sample appearing as late as October 2024.
While Google confirmed that no such apps are currently present on the Google Play Store and that protection measures have been in place since 2022, the campaign remains a significant threat. Investigations by Kaspersky suggest that the developers behind Spyrtacus previously attempted to host the malware on the Play Store before shifting exclusively to malicious web distribution. There are also indications of versions existing for Windows, macOS, and iOS.
Tracing the Italian Connection
Evidence linking SIO to the spyware is substantial. Public documents reveal that SIO, which provides surveillance technology to government customers, owns a subsidiary called ASIGINT. Command-and-control servers used to operate the Spyrtacus malware have been registered to this subsidiary.
Furthermore, technical markers within the source code point to the developers’ regional origins. One sample contained a phrase in Neapolitan dialect, “Scetáteve guagliune ‘e malavita,” referencing a traditional Neapolitan song. This follows a history of Italian spyware firms—such as the now-defunct eSurv—accidentally leaking their origins through localized code comments.
A History of Surveillance
Italy has long been a hub for the global spyware industry, dating back to the founding of Hacking Team in 2003. SIO joins a list of companies previously scrutinized for similar tactics, including Cy4Gate, eSurv, and GR Sistemi.
Despite repeated attempts to reach SIO executives, including CEO Elio Cattaneo and CTO Alberto Fabbri, no response was provided regarding the nature of their government contracts or the victims of the Spyrtacus campaign. The Italian Ministry of Justice also declined to comment on the matter.