Ethical Hacking News
A new Android spyware called Morpheus linked to an Italian surveillance firm has been uncovered, highlighting the growing threat of covert surveillance tools in the digital landscape. The spyware, distributed through fake apps posing as updates, can steal extensive data from infected devices and gain persistence even after reboot. Osservatorio Nessuno researchers conclude that the malware is linked to IPS Intelligence, an Italian firm active in lawful interception technologies used by governments. This revelation underscores the importance of protecting personal data from emerging threats like Morpheus.
Morpheus spyware distributes itself through fake Android apps posing as updates. The spyware can steal extensive data from infected devices, including audio and video recordings. The malware uses fake icons and names to appear trustworthy and forces users to grant dangerous permissions. The spyware can restart after reboot and request device admin privileges, making removal difficult. It can trick victims into approving actions like linking a WhatsApp account by showing a fake biometric prompt. The malware disables security protections like camera/mic indicators and Play Protect, and turns off antivirus tools. It targets multiple languages and Android devices, with ties to an Italian origin and possibly linked to IPS Intelligence firm.
In a disturbing revelation, researchers at the non-partisan, non-religious, nonprofit organization Osservatorio Nessuno have uncovered a new spyware called Morpheus, which is distributed through fake Android apps posing as updates. Once installed, it can steal extensive data from the infected devices, highlighting the rising threat of covert surveillance tools in the digital landscape.
The report, published by Osservatorio Nessuno on April 28, 2026, reveals that attackers used a typical low-cost spyware tactic: disrupt a service and trick the victim into installing a fake app to restore it. In this case, targets received an SMS linking to a site impersonating an ISP. The first stage, a dropper app, installs a hidden second-stage payload embedded within it. It checks if the payload is already present, then silently deploys it with minimal user awareness.
The second stage disguises itself as legitimate system components, using fake icons and names to appear trustworthy. It forces users to grant dangerous permissions, including Accessibility access, which allows it to read screens, interact with apps, and capture sensitive data. According to the report, after granting Accessibility permissions, the spyware starts a Permission Workflow that creates an overlay with a fake update process and a fake reboot screen. In the background, the workflow performs all the steps to grant all the needed permissions.
The malware also gains persistence by restarting after reboot and can request device admin privileges, making removal difficult. Overall, it enables long-term, covert surveillance of the infected device. The spyware abuses overlay windows and Accessibility features to take control of the device and bypass protections. Using the powerful SYSTEM_ALERT_WINDOW permission, it displays fake screens, such as updates or reboots, while secretly granting itself permissions in the background, even disabling touch input to limit user control.
It can trick victims into approving actions like linking a WhatsApp account by showing a fake biometric prompt. It also enables Wireless Debugging and connects to ADB to gain elevated privileges, silently granting itself sensitive permissions, disabling security protections like camera/mic indicators and Play Protect, and turning off antivirus tools.
Furthermore, the report reveals that in the third phase, the spyware disables a number of known Antivirus software, including Google's own SafetyCore, Bitdefender, Sophos, Avast, AVG, Malwarebytes, along with a handful of smaller "cleaner/antivirus" apps popular on low-end devices. None of these requires root, and persists across reboots since the Android security model treats user-installed anti-malware software like ordinary apps.
The analysis of the source code suggests an Italian origin for the spyware, based on language clues and references like "aprafoco" and "Gomorra." The malware supports multiple languages and Android devices, showing broader targeting. Its infrastructure uses encrypted configs, Italian-hosted servers, and domains linked to small ISPs and obscure entities with generic details.
The researchers found ties between hosting providers, fake or opaque companies, and shared contacts. The phishing domain is registered to a small Italian firm with minimal activity and links to other questionable businesses. Overlapping financial and corporate connections suggest a network of related entities potentially supporting the spyware operation while masking its true ownership.
Osservatorio Nessuno concluded that the spyware is linked to IPS Intelligence, an Italian firm active for over 30 years in lawful interception technologies used by governments to monitor communications through telecom and internet providers. "While IPS Intelligence is a well-known commercial surveillance provider, this is, to our knowledge, the first report linking them to the distribution and operation of spyware," concludes the report.
"Morpheus is extremely invasive: it can record audio and video, silently pair a WhatsApp device, erase evidence, and deliberately weaken the security of the infected phone, among other malicious capabilities." The researchers did not provide details on how they isolated or identified the sample, so the exact collection and analysis process remains undisclosed.
This revelation highlights the growing threat of covert surveillance tools in the digital landscape. As mobile devices become increasingly ubiquitous, the risk of these spyware attacks becomes more pronounced. It is essential for device users to remain vigilant and take steps to protect their personal data from such threats.
In light of this report, it is crucial for device manufacturers and security software vendors to enhance their efforts to detect and prevent such malware infections. Furthermore, regulatory bodies should consider implementing stricter regulations on the use of spyware tools and ensuring that companies are held accountable for any malicious activities.
As the digital landscape continues to evolve, so too must our collective efforts to protect ourselves from these emerging threats. By staying informed and taking proactive steps to safeguard our personal data, we can minimize the risk of falling prey to covert surveillance tools like Morpheus.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Spyware-Morpheus-Linked-to-Italian-Surveillance-Firm-Raises-Concerns-Over-Covert-Surveillance-ehn.shtml
https://securityaffairs.com/191398/malware/new-android-spyware-morpheus-linked-to-italian-surveillance-firm.html
Published: Tue Apr 28 06:15:37 2026 by llama3.2 3B Q4_K_M
