Fake iPhone WhatsApp App Delivered Italian Government Spyware to Users
WhatsApp said it notified about 200 users, mostly in Italy, after they were tricked into installing an unofficial iPhone version of WhatsApp embedded with spyware. The company said the incident did not stem from a vulnerability in WhatsApp itself, but from highly targeted social engineering that led victims to download the malicious client. WhatsApp logged affected users out, warned them of the privacy and security risks, and urged them to delete the fake app and reinstall the official version.
The company attributed the operation to ASIGINT, a subsidiary of Italian spyware maker SIO, and said it plans to send SIO a formal legal demand to halt the activity. The campaign adds to scrutiny of Italian surveillance vendors, following earlier reporting on SIO-linked Android spyware, including fake WhatsApp apps associated with Spyrtacus, and a separate WhatsApp notification campaign tied to Paragon Solutions and its Graphite spyware that reportedly targeted journalists and pro-immigration activists in Italy.
Timeline
Apr 1, 2026
WhatsApp says it will send SIO a legal demand
Alongside its disclosure, WhatsApp said it planned to send SIO a formal legal demand ordering the company to stop the malicious activity. The move signaled a potential escalation beyond user notifications into legal action.
Apr 1, 2026
WhatsApp notifies affected users and forces logouts
WhatsApp said it notified about 200 affected users, logged them out of the malicious client, warned them of privacy and security risks, and urged them to remove the fake app and install the official version. Most of the impacted users were reported to be in Italy.
Apr 1, 2026
WhatsApp attributes fake app spyware campaign to SIO/ASIGINT
WhatsApp said the spyware operation behind the fake iPhone app was carried out by ASIGINT, a subsidiary of Italian spyware maker SIO. The company publicly connected the campaign to the Italian surveillance vendor ecosystem.
Apr 1, 2026
Users are tricked into installing fake WhatsApp iPhone app with spyware
Around 200 users, primarily in Italy, were socially engineered into installing an unofficial iPhone version of WhatsApp that contained government spyware. WhatsApp said the malicious app was not the result of a vulnerability in its service.
Jan 1, 2025
WhatsApp previously notified about 90 users targeted by Paragon spyware
Before this newly disclosed incident, WhatsApp had warned roughly 90 users, including journalists and pro-immigration activists, about targeting linked to Paragon Solutions' Graphite spyware in Italy. The case formed part of a broader spyware scandal involving Italian surveillance vendors.
Jan 1, 2025
Researchers link SIO to spyware-laced fake Android apps
Prior reporting identified Italian spyware maker SIO as distributing spyware through malicious Android applications, including fake WhatsApp versions. The spyware associated with these apps was identified as Spyrtacus.
Dec 1, 2024
Court rules NSO Group liable for targeting WhatsApp users
In a December 2024 ruling referenced in the coverage, a court found NSO Group liable for targeting WhatsApp users with Pegasus spyware. The decision was part of WhatsApp's ongoing legal battle against NSO.
Jan 1, 2018
Spyrtacus spyware was distributed via Google Play before moving to fake websites
Kaspersky previously reported that operators distributed the Spyrtacus spyware through Google Play in 2018. By 2019, the campaign had shifted to fake websites impersonating Italian internet providers to deliver the malware.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
4 more from sources like techcrunch com security, repubblica.it and the record media
Related Stories
Targeting of Italian Political Adviser with Paragon Graphite Spyware
Francesco Nicodemo, a prominent Italian political adviser and communications executive, was identified as the fifth Italian individual targeted with Paragon’s Graphite spyware. Nicodemo, who has managed numerous election campaigns and is known for his work with center-left political candidates, was notified by WhatsApp of evidence linking his device to the spyware. The attack was later confirmed by Citizen Lab’s John Scott-Railton, highlighting ongoing concerns about the use of invasive surveillance tools against political figures in Italy. The Italian government has acknowledged using Paragon spyware in some cases but denies involvement in all incidents, particularly those involving journalists. The growing number of unexplained infections, now totaling at least 90 victims notified by WhatsApp, underscores the broader issue of government surveillance and the targeting of individuals involved in politics and elections. Experts have raised alarms about the human rights implications of such spyware, calling for greater transparency and potential bans on its use.
1 months ago
Mobile Messaging Account Compromises and Spyware Threats
Security researchers and intelligence analysts have documented a series of incidents and trends highlighting the risks to mobile messaging accounts and devices. In December, a new form of WhatsApp account hijacking called GhostPairing was identified, where attackers trick users into linking an attacker-controlled browser to their WhatsApp device, potentially exposing sensitive information. Separately, researchers uncovered large-scale scraping of WhatsApp's contact discovery tool, resulting in the exposure of billions of phone numbers and associated profile data. Meanwhile, spyware threats targeting both iPhone and Android users have escalated, with zero-click attacks enabling adversaries to compromise devices and access encrypted messaging apps such as WhatsApp and Signal. Apple and Google responded by patching vulnerabilities believed to be exploited by commercial spyware like Predator, and the US CISA issued warnings about the active targeting of mobile messaging applications. In another high-profile case, the Iranian-linked Handala hacking group claimed to have fully compromised the mobile devices of two Israeli officials. However, forensic analysis revealed that only their Telegram accounts were breached, not the entire devices. The attackers likely used techniques such as SIM swapping, SS7 exploitation, and phishing to gain access, exposing gaps in session management and account security on encrypted messaging platforms. These incidents underscore the growing sophistication of attacks against mobile messaging services and the need for robust security measures, including privacy controls, passkey-encrypted backups, and vigilance against phishing and SIM-based attacks.
1 months ago
Phishing Kit Hijacks WhatsApp Accounts via WhatsApp Web QR Code and Targets Iran-Related Individuals
A phishing campaign targeting high-profile individuals involved in Iran-related activities has been using WhatsApp messages to lure victims to a fake site that impersonates *WhatsApp Web* and steals access to accounts and other credentials. U.K.-based Iranian activist and investigator **Nariman Gharib** shared the phishing link and technical findings, which indicated the operation aimed to compromise WhatsApp accounts and harvest credentials (including **Gmail** and other online logins), with victims including a Middle Eastern academic in national security studies, the head of an Israeli drone maker, a senior Lebanese cabinet minister, at least one journalist, and individuals with U.S. phone numbers. TechCrunch reported it was able to view a real-time copy of victim submissions because the attackers’ server storing responses was left exposed without a password, showing dozens of victims had entered credentials and were likely subsequently compromised. Technical reporting described the attack as a “surveillance kit” that hijacks accounts by abusing the WhatsApp Web linking flow: the phishing page continuously polls the attacker’s infrastructure and presents a live QR code tied to the attacker’s own WhatsApp Web session, so when a victim scans it they unknowingly authenticate the attacker’s browser and link their account. The infrastructure was reported as hosted on a **DuckDNS** domain and running on an **Ubuntu** server with **nginx**. Beyond account takeover, the kit was described as requesting browser permissions that could enable invasive monitoring—camera, microphone, and location access—allowing attackers to capture photos, record audio in intervals, and track location in near real time; attribution remained uncertain in one report, while another linked the activity to Iranian intelligence.
1 months ago