An Italian company called SIO, known for selling its products to government customers, has been linked to a series of malicious Android apps that masquerade as popular apps like WhatsApp but steal private data from a target’s device, TechCrunch has learned in an exclusive investigation.

Late last year, a security researcher shared three Android apps with TechCrunch, claiming they were likely government spyware used in Italy against unknown victims. TechCrunch asked Google and mobile security firm Lookout to analyze the apps, and both confirmed that the apps were spyware.

This discovery highlights the broad scope of government spyware, in terms of the number of companies involved and the various techniques used to target individuals.

Recently, Italy has been embroiled in a scandal involving the alleged use of a sophisticated spying tool made by Israeli spyware maker Paragon. The spyware is capable of remotely targeting WhatsApp users and stealing their data from their phones, and was allegedly used against a journalist and two founders of an NGO that helps and rescues immigrants in the Mediterranean.

In contrast, the spyware maker behind the malicious app samples shared with TechCrunch used a more pedestrian hacking technique: developing and distributing malicious Android apps that pretend to be popular apps like WhatsApp, and customer support tools provided by cellphone providers.

Security researchers at Lookout concluded that the Android spyware shared with TechCrunch is called Spyrtacus, based on the word found within the code of an older malware sample that appears to refer to the malware itself.

Lookout told TechCrunch that Spyrtacus has all the hallmarks of government spyware. (Researchers from another cybersecurity firm, which independently analyzed the spyware for TechCrunch but asked not to be named, reached the same conclusion.) Spyrtacus can steal text messages, chats from Facebook Messenger, Signal, and WhatsApp; exfiltrate contacts information; record phone calls and ambient audio via the device’s microphone, and imagery via the device’s cameras; among other functions that serve surveillance purposes.

According to Lookout, the Spyrtacus samples provided to TechCrunch, as well as several other samples of the malware that the company had previously analyzed, were all made by SIO, an Italian company that sells spyware to the Italian government.

Given that the apps, as well as the websites used to distribute them, are in Italian, it is plausible that the spyware was used by Italian law enforcement agencies.

A spokesperson for the Italian government, as well as the Ministry of Justice, did not respond to TechCrunch’s request for comment.

It is unclear who was targeted with the spyware, according to Lookout and the other unnamed cybersecurity firm.

SIO did not respond to multiple requests for comment. TechCrunch also reached out to SIO’s president and chief executive Elio Cattaneo; and several senior executives, including its CFO Claudio Pezzano and CTO Alberto Fabbri, but TechCrunch did not hear back.

Kristina Balaam, a researcher at Lookout who analyzed the malware, said the company found 13 different samples of the Spyrtacus spyware in the wild, with the oldest malware sample dating back to 2019 and the most recent sample dating back to October 17, 2024. The other samples, Balaam added, were found between 2020 and 2022. Some of the samples impersonated apps made by Italian cellphone providers TIM, Vodafone, and WINDTRE, said Balaam.

Google spokesperson Ed Fernandez said that “based on our current detection, no apps containing this malware are found on Google Play,” adding that Android has enabled protection for this malware since 2022. Google said the apps were used in a “highly targeted campaign.” Asked if older versions of the Spyrtacus spyware were ever on Google’s app store, Fernandez said this is all the information the company has.

Kaspersky said in a 2024 report that the people behind Spyrtacus began distributing the spyware through apps in Google Play in 2018, but by 2019 switched to hosting the apps on malicious web pages made to look like some of Italy’s top internet providers. Kaspersky said its researchers also found a Windows version of the Spyrtacus malware, and found signs that point to the existence of malware versions for iOS and macOS as well.

These SICilian Gangsters Broke the Internet, but They Couldn’t Catch Spy

Italy has been the host to some of the world’s early government spyware companies for two decades. SIO is the latest in a long list of spyware makers whose products have been observed by security researchers targeting people in the real world.

In 2003, two Italian hackers David Vincenzetti and Valeriano Bedeschi founded the startup Hacking Team, one of the first companies to recognize that there was an international market for turnkey, easy-to-use spyware systems for law enforcement and government agencies around the world. Hacking Team went on to sell its spyware to agencies in Italy, Mexico, Saudi Arabia, and South Korea, among others.

In the last decade, security researchers have found several other Italian companies selling spyware, including Cy4Gate, eSurv, GR Sistemi, Negg, Raxir, and RCS Lab.

Some of these companies had spyware products that were distributed in a similar way to the Spyrtacus spyware. In 2018, an investigation by Motherboard found that the Italian justice ministry had a price list and catalog showing how authorities can compel telecom companies to send malicious text messages to surveillance targets with the goal of tricking the person into installing a malicious app under the guise of keeping their phone service active, for example.

In the case of Cy4Gate, a 2021 investigation by Motherboard found that the company made fake WhatsApp apps to trick targets into installing its spyware.

There are several elements that point to SIO as the company behind the spyware. Lookout found that some of the command and control servers used for remotely controlling the malware were registered to a company called ASIGINT, a subsidiary of SIO, according to a publicly available SIO document from 2024, which says ASIGINT develops software and services related to computer wiretapping.

The Lawful Intercept Academy, an independent Italian organization that issues compliance certifications for spyware makers who operate in the country, lists SIO as the certificate holder

for a spyware product called SIOAGENT and lists ASIGINT as the product’s owner. In 2022, surveillance and intelligence trade publication Intelligence Online reported that SIO had acquired ASIGINT.

Michele Fiorentino, the CEO of ASIGINT and based in the Italian city of Caserta, outside of Naples, according to his LinkedIn profile, worked on “Spyrtacus Project” while at another company, DataForense, between February 2019 and February 2020, implying that the company was involved in the development of the spyware.

Another command and control server associated with the spyware is registered to DataForense, according to Lookout.

DataForense and Fiorentino did not respond to a request for comment sent by email and LinkedIn.

Lookout found that there is a string of source code in one of the Spyrtacus samples that points to the developers potentially being from the Naples region. The source code includes the words, “Scetáteve guagliune ‘e malavita,” a phrase in Neapolitan dialect that roughly translates to “wake up boys of the underworld,” which is part of the lyrics of the traditional Neapolitan song “Guapparia.”

This wouldn’t be the first time that Italian spyware makers have left traces of their origins in their spyware. In the case of eSurv, a now-defunct spyware maker from the southern region of Calabria, exposed in 2019, its developers left in the spyware code the words “mundizza,” the Calabrian word for garbage, as well as referencing the name of the Calabrian footballer, Gennaro Gattuso.

While these are minor details, all signs point to SIO as being behind this spyware. But questions remain to be answered about the campaign, including which government customer was behind the use of the Spyrtacus spyware, and against whom.