Spy software manufacturer caught distributing malicious Android apps for years

Italian SIO spyware manufacturer, known for selling its products to state -owned customersIt is behind a series of malicious Android applications that are masked as WhatsApp and other popular applications, but steal private data from the target device, TechCrunch has learned exclusively.

At the end of last year, a security researcher shared three Android apps with TechCrunch, claiming that they are probably state spyware used in Italy against unknown victims. TechCrunch asked Google and Mobile Security Fird to look to analyze applications and both confirmed that the applications were spyware.

This discovery shows that the world of Government spy is wide, both in the sense of the number of companies developing spyware and of the various techniques used to target individuals.

Italy has been in recent weeks woven in Scandal Including the alleged use of a sophisticated spying tool made by Israeli spy manufacturer ParagonS Spy software is capable of directing remotely WhatsApp users and data theft from their phones and claim to be used journalist and two Founders of NGOs, which helps and save immigrants in the Mediterranean.

In the case of malicious samples of applications shared with TechCrunch, the manufacturer of spyware and its state customer used a more refinement hacker technique: the development and distribution of malicious Android applications that pretend to be popular applications such as Whatsapp, and support tools Customers provided by mobile phone providers.

The Lookout Security Researchers have come to the conclusion that the Android spy shared with TechCrunch is called Spytacus after finding the word in the code of an older sample of malware that seems to refer to the malware itself.

Lookout told TechCrunch that Spyrtacus has all the distinctive features of government spy. (Researchers from another cybersecurity company that independently analyzes spyware for TechCrunch but demanded not to be baptized, have come to the same conclusion.) Spyrtacus can steal text messages as well as Facebook Messenger chats, signal and Whatsapp; Contact information with ExfilTrate; recording telephone calls and atmospheric audio through the microphone of the device and images through the camera cameras; Among other features that serve the objectives of observation.

According to Lookout, Spytacus samples provided to TechCrunch, as well as several other malware samples that the company has previously analyzed are made by SIO, Italian company that sells spyware to the Italian governmentS

Given that the applications, as well as the websites used for their distribution, are in Italian, it is plausible that spyware was used by Italian law enforcement authorities.

A spokesman for the Italian government, as well as the Ministry of Justice, did not respond to the TechCrunch request for comment.

At this point, it is not clear who was aimed at spyware, according to Lookout and the other security company.

SIO did not respond to many requests for comment. TechCrunch also addressed the President of SIO and CEO Elio Kataneo; And several senior executives, including his financial officer Claudio Pezzano and CTO Alberto Fabbri, but TechCrunch did not hear again.

Christina Balaam, a Lookout researcher who analyzes malware, said the company found 13 different samples of spytacus spyware in nature, with the largest sample of malware from 2019 and the most sample dating from October 17 2024 The other samples, Balaam added, were discovered between 2020 and 2022. Some of the samples present applications made by Italian mobile phone suppliers TIM, waterphone and windter, Balaam said.

Google spokesman Ed Fernandez said “Based on our current detection, there are no apps containing this malware on Google Play,” adding that Android has activated protection for this malware from 2022. Google said that applications have been used in a “highly targeted campaign. “Asked if the older versions of Spyrtacus spy software were once on Google’s App Store, Fernandez said this is all the information the company has.

Kasperski said in A report of 2024 That the people behind the Spytacus began to distribute spyware through apps on Google Play in 2018, but by 2019 they switched to hosting of malicious web pages made to look like some of the best Internet providers in Italy S Kasperski said his researchers also found a version of Windows of Spyrtacus malware and found signs that indicate the existence of versions of malware and for iOS and MacOS.

Pizza, spaghetti and spyware

Italy has hosted some of the early state spy companies in the world for two decades. SIO is the latest in a long list of spyware manufacturers whose products have been observed by security researchers as actively focused on people in the real world.

In 2003, the two Italian hackers David Vinsenzetti and Valeriano Bedeshki founded the start -up team of starters, one of the first companies to admit to having an international market for turnkey, easy to use, spyware for law enforcement agencies all agencies over all agencies over The world. The Hacking team continued to sell their spyware to agencies in Italy, Mexico, Saudi Arabia and South Korea.

Over the last decade, security researchers have found several other Italian companies that sell spyware, including CY4GATE. Esurv. GRA systems. Neger. Ragorand RCS LaboratoryS

Some of these companies had spy products that were similarly distributed to Spytacus spyware. Found motherboard Italy In an investigation in 2018 That the Italian Ministry of Justice had a price list and a catalog showing how authorities could force telecommunications companies to send malicious text messages to monitor goals in order to set the person to install a malicious application under the guise to maintain their telephone service, for example,, for example,, For example, for example, for example, that their telephone service is active, for example, for example, their telephone service, for example, for example, their telephone service, such as their telephone service, for example.

In the case of Cy4gate, The motherboard found in 2021 that the company has made false applications on WhatsApp to entice the goals of installing their spyware.

There are several elements that point to SIO as the company behind spyware. Lookout found that some of the Command and Control Servers Used to remotely control malware are registered with a company called ASIGINT, a subsidiary of SIO, according to publicly available Sio document Since 2024, which has said that ASIGINT has been developing software and services related to computer tapping.

The Legal Academy of Intercept, an independent Italian organization that issues certificates of conformity to spy producers working in the country, Lists SIO as a certificate holder For a spy product called Sioagent and lists ASIGINT as the product owner. In 2022, an online advertisement for observation and intelligence intelligence online reported This SEA had acquired an assigin.

Michelle Fiorentino is CEO of ASIGINT and is based in the Italian city of Caserta, outside Naples, according to his LinkedIn profile. Fiorentino says he has worked on a “Spyrtacus project”, while in another company called DataForense between February 2019 and February 2020, suggesting that the company has participated in the development of spyware.

Another command and control server related to spyware is registered in a data departure according to Lookout.

DataForense and Fiorentino did not respond to a request for a comment sent by email and LinkedIn.

According to Lookout and the other unnamed cybersecurity company, one of the Spyrtacus samples has a string of output code, which indicates that the developers are potentially from the Naples region. The source code includes the words “Scetátave guagliune ‘e Malavita”, a phrase in the Neapolitan dialect that grossly translates as “Wake Up Boys from the Underworld” who is part of the texts of the traditional Neapolitan “Guaparia.”

This will not be the first time the Italian spyware manufacturers leave traces of their origin from their spyware. In the case of Esurv, Now a non -existent manufacturer of spyware from the southern region of Calabria Exposed that they have infected the phones of innocent people in 2019, its developers have left in the spy code of the words “Mundizza”, the Callabrian word for the garbage, and to refer to the name of the Calabrian footballer, Genaro Gatuso.

Although these are insignificant details, all characters point to SIO as behind this spyware. But it remains to answer the campaign questions, including which state client is behind the use of Spytacus spyware and against whom.