Global Spyware Industry Under Scrutiny as Italian Firm IPS Exposed for Deploying “Morpheus” Malware
In a chilling revelation that underscores the shadowy world of digital espionage, a new report has exposed yet another government-linked spyware maker exploiting Android applications to infiltrate targets’ devices. Italian digital rights organization Osservatorio Nessuno published findings on Thursday detailing a malware strain dubbed “Morpheus,” which masquerades as a phone update app to steal sensitive data. The report highlights the pervasive demand for surveillance tools among law enforcement and intelligence agencies, shedding light on the growing ecosystem of private companies supplying such technology, often operating far from public scrutiny.
The malware, attributed to IPS Intelligence, an Italian firm with over three decades of experience in lawful interception technology, raises pressing questions about the ethical and legal boundaries of digital surveillance. IPS, which boasts operations in more than 20 countries and lists several Italian police forces among its clients, has remained tight-lipped in response to inquiries.
The Mechanics of Morpheus
Morpheus employs a relatively rudimentary infection mechanism compared to its more sophisticated counterparts. Unlike zero-click exploits, which install malware without user interaction by exploiting high-value vulnerabilities, Morpheus relies on tricking targets into voluntarily downloading the malicious app. According to the report, this deception was facilitated by the target’s telecom provider, which deliberately blocked mobile data access before sending a text message prompting the user to install a fake update app to restore functionality.
Once installed, the malware abused Android’s accessibility features, granting it the ability to read on-screen data and interact with other applications. Notably, Morpheus executed a counterfeit WhatsApp update, requesting biometric authentication from the user. Unbeknownst to the victim, this action granted the spyware full access to their WhatsApp account by adding a new device to their session.
This tactic mirrors strategies documented in similar campaigns, including recent incidents in Italy and Ukraine, where government-linked hackers exploited biometric authentication to infiltrate encrypted messaging platforms.
The Italian Connection
Osservatorio Nessuno’s researchers, Davide and Giulio (who requested anonymity), traced Morpheus to IPS through a combination of infrastructure analysis and linguistic clues embedded in the malware’s code. One of the IP addresses used in the campaign was registered to “IPS Intelligence Public Security,” while fragments of code contained Italian phrases, including references to the Neapolitan mob-themed book and TV series Gomorrah and the word “spaghetti.”
Such cultural markers have become a recurring theme in Italian spyware development, with previous malware strains likewise containing Italian-language elements. While the researchers refrained from identifying specific targets, they suggested the attack was likely related to political activism, a sector increasingly targeted by digital surveillance in Italy.
A Legacy of Surveillance
IPS is the latest in a long line of Italian surveillance technology providers to come under scrutiny. The nation has emerged as a hotspot for spyware development since the downfall of Hacking Team, once a dominant player in the global spyware market. Hacking Team’s collapse, following a devastating hack in 2015, created a void that has since been filled by a wave of new entrants, including CY4GATE, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and SIO.
These companies have faced repeated accusations of unethical practices, from distributing malicious Android apps to malfunctioning spyware tools. Earlier this month, WhatsApp notified approximately 200 users who had inadvertently installed a counterfeit app linked to SIO, another Italian spyware maker. In 2021, Italian prosecutors suspended the use of CY4GATE and SIO spyware due to critical operational failures.
A Global Problem
The Morpheus incident underscores a broader trend: the relentless demand for surveillance tools by governments worldwide has fueled a thriving, largely unregulated industry. While some firms, like NSO Group and Paragon Solutions, specialize in high-end zero-click exploits, others cater to budget-conscious clients with simpler, albeit effective, solutions like Morpheus.
This proliferation of spyware raises significant concerns about privacy, civil liberties, and accountability. Governments’ reliance on private contractors for digital surveillance often obscures the extent of their activities, leaving citizens vulnerable to abuses of power.
The Road Ahead
The exposure of Morpheus serves as a stark reminder of the urgent need for international oversight and regulation of the spyware industry. Efforts to curb misuse, such as the U.S. Commerce Department’s blacklisting of NSO Group in 2021, have had limited impact, as new players continue to emerge.
As Davide and Giulio noted, the targeting of political activists highlights the weaponization of surveillance technology against dissenting voices. This trend is not unique to Italy; across the globe, spyware has been deployed to suppress opposition, silence journalists, and monitor marginalized communities.
IPS’s silence in the face of these allegations leaves unanswered questions about its role in the campaign and the extent of its involvement with government agencies. For now, Morpheus stands as a cautionary tale of the dangers posed by unchecked surveillance and the urgent need for transparency in an industry shrouded in secrecy.
As the global community grapples with the ethical implications of spyware, one thing remains clear: the line between legitimate security and invasive surveillance grows increasingly blurred.
