abusesaffiliationarrow-downarrow-leftarrow-rightarrow-upattack-typeburgerchevron-downchevron-leftchevron-rightchevron-upClock iconclosedeletedevelopment-povertydiscriminationdollardownloademailenvironmentexternal-linkfacebookfiltergenderglobegroupshealthC4067174-3DD9-4B9E-AD64-284FDAAE6338@1xinformation-outlineinformationinstagraminvestment-trade-globalisationissueslabourlanguagesShapeCombined Shapeline, chart, up, arrow, graphLinkedInlocationmap-pinminusnewsorganisationotheroverviewpluspreviewArtboard 185profilerefreshIconnewssearchsecurityPathStock downStock steadyStock uptagticktooltiptwitteruniversalityweb

Cette page n’est pas disponible en Français et est affichée en English

Article

13 fév 2025

Auteur:
Lorenzo Franceschi-Bicchierai, TechCrunch

TechCrunch unveils Italian spyware maker SIO distributing malicious Android apps for years

"Spyware maker caught distributing malicious Android apps for years", 13 February 2025

Italian spyware maker SIO, known to sell its products to government customers, is behind a series of malicious Android apps that masquerade as WhatsApp and other popular apps but steal private data from a target’s device, TechCrunch has exclusively learned.

Late last year, a security researcher shared three Android apps with TechCrunch, claiming they were likely government spyware used in Italy against unknown victims. TechCrunch asked Google and mobile security firm Lookout to analyze the apps, and both confirmed that the apps were spyware. 

This discovery shows that the world of government spyware is broad, both in the sense of the number of companies developing spyware, as well as the different techniques used to target individuals. 

In recent weeks, Italy has been embroiled in an ongoing scandal involving the alleged use of a sophisticated spying tool made by Israeli spyware maker Paragon. The spyware is capable of remotely targeting WhatsApp users and stealing data from their phones, and was allegedly used against a journalist and two founders of an NGO that helps and rescues immigrants in the Mediterranean. 

In the case of the malicious app samples shared with TechCrunch, the spyware maker and its government customer used a more pedestrian hacking technique: developing and distributing malicious Android apps that pretend to be popular apps like WhatsApp, and customer support tools provided by cellphone providers.  

Security researchers at Lookout concluded that the Android spyware shared with TechCrunch is called Spyrtacus, after finding the word within the code of an older malware sample that appears to refer to the malware itself.

Lookout told TechCrunch that Spyrtacus has all the hallmarks of government spyware. ...Spyrtacus can steal text messages, as well as chats from Facebook Messenger, Signal, and WhatsApp; exfiltrate contacts information; record phone calls and ambient audio via the device’s microphone, and imagery via the device’s cameras; among other functions that serve surveillance purposes. 

According to Lookout, the Spyrtacus samples provided to TechCrunch, as well as several other samples of the malware that the company had previously analyzed, were all made by SIO, an Italian company that sells spyware to the Italian government

Given that the apps, as well as the websites used to distribute them, are in Italian, it is plausible that the spyware was used by Italian law enforcement agencies. 

A spokesperson for the Italian government, as well as the Ministry of Justice, did not respond to TechCrunch’s request for comment. 

At this point, it is unclear who was targeted with the spyware, according to Lookout and the other security firm. 

SIO did not respond to multiple requests for comment. TechCrunch also reached out to SIO’s president and chief executive Elio Cattaneo; and several senior executives, including its CFO Claudio Pezzano and CTO Alberto Fabbri, but TechCrunch did not hear back.

...

Google spokesperson Ed Fernandez said that, “based on our current detection, no apps containing this malware are found on Google Play,” adding that Android has enabled protection for this malware since 2022. Google said the apps were used in a “highly targeted campaign.” Asked if older versions of the Spyrtacus spyware were ever on Google’s app store, Fernandez said this is all the information the company has. 

Kaspersky said in a 2024 report that the people behind Spyrtacus began distributing the spyware through apps in Google Play in 2018, but by 2019 switched to hosting the apps on malicious web pages made to look like some of Italy’s top internet providers. Kaspersky said its researchers also found a Windows version of the Spyrtacus malware, and found signs that point to the existence of malware versions for iOS and macOS as well.

...

While these are minor details, all signs point to SIO as being behind this spyware. But questions remain to be answered about the campaign, including which government customer was behind the use of the Spyrtacus spyware, and against whom.

Informations sur la confidentialité

Ce site utilise des cookies et d'autres technologies de stockage web. Vous pouvez définir vos choix en matière de confidentialité ci-dessous. Les changements prendront effet immédiatement.

Pour plus d'informations sur notre utilisation du stockage web, veuillez vous référer à notre Politique en matière d'utilisation des données et de cookies

Strictly necessary storage

ON
OFF

Necessary storage enables core site functionality. This site cannot function without it, so it can only be disabled by changing settings in your browser.

Cookie analytique

ON
OFF

Lorsque vous accédez à notre site Web, nous utilisons Google Analytics pour collecter des informations sur votre visite. Autoriser ce cookie nous permettra de comprendre en plus de détails sur votre parcours et d'améliorer la façon dont nous diffusons les informations. Toutes les informations analytiques sont anonymes et nous ne les utilisons pas pour vous identifier. Outre la possibilité que vous avez de refuser des cookies, vous pouvez installer le module pour la désactivation de Google Analytics.

Cookies promotionels

ON
OFF

Nous partageons des nouvelles et des mises à jour sur les entreprises et les droits de l'homme via des plateformes tierces, y compris les médias sociaux et les moteurs de recherche. Ces cookies nous aident à comprendre les performances de ces items.

Vos choix en matière de confidentialité pour ce site

Ce site utilise des cookies et d'autres technologies de stockage web pour améliorer votre expérience au-delà des fonctionnalités de base nécessaires.