WhatsApp notified approximately 200 users, primarily in Italy, that they were tricked into installing a counterfeit version of the messaging app that was actually government spyware. The fake app was created by SIO, an Italian surveillance technology company that develops spyware for law enforcement and intelligence agencies through its subsidiary ASIGINT. WhatsApp said it had proactively identified affected users, logged them out of their accounts, warned them about privacy risks and urged them to remove the fake client and install the official app from a trusted source. The company told TechCrunch that it also plans to submit a formal legal complaint to SIO to stop any malicious activity related to the campaign.
The revelation, first reported by Italian newspaper La Repubblica and news agency ANSA, marks the second time in just over a year that WhatsApp has publicly named a spyware provider operating against its users in Italy. In early 2025, WhatsApp alerted about 90 users, including journalists and pro-immigration activists, that they had been attacked by Paragon Solutions, an American-Israeli surveillance company whose flagship product, Graphite, was deployed by Italy’s domestic and foreign intelligence services. That revelation triggered a political crisis in Rome. Italy’s parliamentary intelligence oversight committee, COPASIR, confirmed the use of Graphite and found that seven Italians had been targeted. Paragon subsequently cut ties with Italy’s spy agencies after the government refused to verify whether spyware had been used against a specific journalist, Francesco Cancellato of the news site Fanpage.
SIO spyware operates using a different model. The malware, identified in its own code as Spyrtacus, is embedded in fake applications designed to look like legitimate software. Researchers have found 13 different Spyrtacus samples dating back to 2019, with the most recent from late 2024. Previous versions posed as Android apps from Italian mobile providers TIM, Vodafone and WINDTRE, as well as earlier fake versions of WhatsApp itself. TechCrunch first exposed SIO’s Android distribution campaign in February 2025. The latest operation, aimed at iPhones, represents an expansion of the tactic to the Apple ecosystem. Once installed, Spyrtacus can steal text messages, chat histories, and call logs, as well as record audio and video directly from the device’s microphone and camera.
The delivery mechanism is as revealing as the malware itself. In Italy, authorities routinely obtain the cooperation of mobile phone operators, who send phishing links to their own customers on behalf of the authorities. The target receives what appears to be a routine update notification from their provider, instructing them to install what appears to be a standard WhatsApp update. The Italian Justice Ministry has maintained a price list and catalog showing how authorities can force telecommunications companies to send such messages, a system that effectively turns the mobile network itself into a distribution channel for state surveillance tools. The cost of renting spyware in Italy is remarkably low: by the end of 2022, law enforcement agencies could access these tools for as little as 150 euros per day, without the large upfront acquisition costs that typically limit their deployment in other countries.
Italy’s position as a spyware hub is unusual among Western democracies. Companies such as Hacking Team, Cy4Gate, RCS Lab and Raxir are based in the country, governed by a legal framework that provides a formal statutory basis for the “captatore informatico”, or computer interceptor, Trojan software effectively authorized by the state. Fabio Pietrosanti, president of the Hermes Center for Transparency and Digital Human Rights, has said that Spyware is deployed more frequently in Italy than anywhere else in Europe. because the low cost and permissive regulation make it accessible to a much wider range of law enforcement agencies than in neighboring countries. The result is an ecosystem in which municipal police forces, not just national intelligence agencies, can commission surveillance operations against individuals.
WhatsApp spokesperson Margarita Franklin told TechCrunch that the company could not yet confirm whether the 200 affected users included journalists or members of civil society. “Our priority has been to protect users who may have been tricked into downloading this fake iOS app,” he said. The company did not specify whether it had referred the matter to Italian prosecutors or any regulatory authority. Apple and SIO did not respond to requests for comment.
The legal landscape surrounding commercial spyware has changed substantially over the last year. In May 2025, a California jury ordered NSO Group, the Israeli maker of Pegasus, to pay WhatsApp $167 million in punitive damages after finding that it had allowed approximately 1,400 users to be hacked through click-free attacks. A federal judge later reduced the award to $4 million but imposed a permanent injunction prohibiting NSO from attacking WhatsApp’s infrastructure. NSO has appealed. Meta, WhatsApp’s parent company, described the verdict as a milestone and has since expanded its legal strategy against the broader surveillance industry. The formal legal complaint that WhatsApp intends to send to SIO follows the same pattern: using litigation and public disclosure as deterrents against companies that profit from compromising encrypted messaging platforms.
The proliferation of spyware vendors presents a challenge that extends far beyond any single platform. Apple has sent mercenary spyware threat notifications to users in more than 150 countries since 2021, alerting people it believes have been individually targeted by state-sponsored attacks. In April 2025, Apple notified Italian journalist Ciro Pellegrino, one of Paragon’s victims, that he had been attacked. Apple and WhatsApp’s notification systems now represent the primary mechanism by which victims of government surveillance learn they have been compromised, a function that was once the exclusive domain of Specialist researchers in the cybersecurity industry..
The global lawful interception market was valued at $4 billion in 2023 and is projected to reach $15 billion by 2032, growing at approximately 16 percent annually. That growth is not being driven by headline-grabbing Pegasus-style zero-click exploits, but by the kind of low-cost phishing-based tools that SIO sells. The barrier to entry for government surveillance has dropped to the point where a local police department in a midsize Italian city can commission the same type of spyware deployment that was once the exclusive domain of national intelligence agencies. He Gap between regulatory ambition and law enforcement capacity in Europe it means that the legal frameworks governing these tools have not kept up with the pace at which they are being adopted.
What differentiates the SIO case from the Paragon scandal is the method. Paragon’s Graphite used zero-click exploits that required no action on the part of the target. SIO’s Spyrtacus requires the target to install a fake app, a social engineering approach that relies on trust in the operator and familiarity with routine app updates. The fact that Italian telecommunications companies participate in the distribution chain, sending phishing messages to their own subscribers at the request of the State, turns the mobile infrastructure itself into an instrument of surveillance. It’s one thing for a government to hack a phone. Another is for the phone company to help.
Follows WhatsApp’s decision to publicly name SIO and notify affected users the broader pattern of tech platforms asserting themselves as counterweights to state surveillance in ways that would have been unthinkable a decade ago. The company is not limited to fixing a vulnerability. It involves identifying the provider, alerting victims and threatening legal action, a stance that positions a Meta-owned messaging app as a more effective check on government spyware abuse than any European regulator has managed to date. Whether that dynamic is reassuring or alarming depends on your view of where responsibility for protecting citizens should ultimately lie from their own governments.
For the 200 users in Italy who received the WhatsApp notification, the immediate question is more concrete: who authorized the surveillance and on what legal basis? The answer may never be made public. Italy’s legal interception framework allows the use of these tools under judicial supervision, but oversight mechanisms have It has repeatedly been shown to be inadequate to prevent abuse.. The Paragon scandal demonstrated that intelligence agencies could target journalists and activists under cover of legal authority. The SIO case suggests that the problem goes deeper and extends to less prominent providers, cheaper tools and a distribution model that exploits the trust that citizens place in their mobile operators. The spyware industry doesn’t need clickless exploits to be dangerous. You just need a convincing notification from your telephone company.
