Spyware maker caught the distribution of harmful Android applications for years

Italian spyware maker SIO, known for selling its products Government agentsBehind a series of malicious Android applications such as WhatsApp and other famous applications but stolen data stolen from the target device, I learned Techcrunch exclusively.

Late last year, a security researcher participated in three Android applications with Techcrunch, claiming that they are more likely government spyware used in Italy against unknown victims. Techcrunch has requested Google and Mobile Security Lookout Application analysis, and both confirmed that the applications were spyware.

This discovery shows that a world Government spy programs Wide, both in the sense of the number of companies that develop spyware, as well as the various technologies used to target individuals.

In recent weeks, Italy has been Involved in An ongoing scandal It involves the alleged use of an advanced spyware made by the Israeli spyware maker Paraguce. Spy programs are able to target remotely WhatsApp users And stealing data from their phones, and it is claimed that it was used Against journalist and two Founders From a non -governmental organization that helps and saving migrants in the Mediterranean.

In the case of common malware samples with Techcrunch, the spyware maker and his government agent used a more infantry technique for pedestrians: developing and distributing harmful Android applications that pretend to be famous applications such as WhatsApp, and customer support tools provided by mobile phone service providers.

Lookout security researchers concluded that the joint Android spyware with Techcrunch is called Spyrtacus, after finding the word within the symbol of the old harmful software sample that seems to indicate the harmful programs themselves.

I tell Lookout Techcrunch that SPYRTACUS has all the distinctive features of government spyware. (Researchers from another cybersecurity security company, which analyzed independently spyware for Techcrunch, but asked not to be named, reached the same conclusion.) Spyrtacus can steal text messages, as well as chats from Facebook Messenger, Signal and WhatsApp; Exfiltrate Communication Information; Record the phone calls and the surrounding sound via the device microphone, and pictures via the device’s cameras; Among the other jobs that serve monitoring purposes.

According to Lookout, the Spyrtacus samples provided for Techcrunch, as well as many other samples of malware that you previously analyzed, were all created by SIO, An Italian company sells spyware to the Italian government.

Given that the applications, as well as the websites used to distribute them, are in the Italian language, it is reasonable to use spyware by Italian law enforcement agencies.

A spokesman for the Italian government, as well as the Ministry of Justice, did not respond to the Techcrunch request for comment.

At this stage, it is not clear who was targeting spyware, according to Lookout and the other security company.

Sio did not respond to multiple requests for comment. Techcrunch also communicates with SIO president and CEO Elio Cattaneo; Many senior executives, including Claudio Pezzano and CTO Alberto Fabbri, but Techcrunch did not hear.

Christina Balm, a researcher at Lookout, analyzed harmful programs, said that the company had found 13 different sample of Spyrtacus Spy programs in the wilderness, with the oldest sample of harmful programs dating back to 2019 and the latest sample dating back to October 17, 2024. Balm added, it was found On other samples, between 2020 and 2022. Some of the deserted samples by Italian mobile service providers Tim, Vodafone and Windtre.

“Based on our current discovery, no applications containing these harmful programs have been found on Google Play,” said Ed Fernandez, adding that Android has enabled protection from these harmful programs since 2022. Google said the applications are used in ” A very targeted campaign “and when asked whether the older versions of Spyrtacus Spyware were absolutely on the Google App Store, Fernandez said this is all the information that the company has.

Kaspersky said in Report 2024 People behind Spyrtacus began distributing spyware through Google Play applications in 2018, but by 2019, they turned to host applications on the harmful web pages that were made to look like some of the best Internet providers in Italy. Kaspersky said that its researchers also found the Windows version of Spetacus, and found signs indicating the presence of malware versions of iOS and MacOS as well.

Pizza, spaghetti, and spyware

Italy has hosted two decades ago the early government spyware companies in the world. Sio is the latest in a long list of spyware makers that security researchers have noticed their products as being actively targeting people in the real world.

In 2003, the Italian infiltrators David Vincenziti and Valeriano Bedzishi founded the startup penetration team, one of the first companies to realize that there is an international market for transportation, easy to use, law enforcement spy programs, and government intelligence machines on the world. The piracy team continued to sell spyware to agencies in Italy, Mexico, Saudi Arabia, South Korea and others.

In the past decade, security researchers have found many other Italian companies that sell spyware, including Cy4gateand Esurvand SISTEMI gramand Nagand RakmsirAnd RCS Laboratory.

Some of these companies had spyware products that were distributed in a similar way to Spyrtacus SPY programs. The motherboard found Italy In achieving 2018 The Italian Ministry of Justice has a price list and a catalog that explains how the authorities can force telecommunications companies to send harmful text messages to the monitoring targets in order to deceive a person in installing a harmful application under the guise of keeping their phones service, for example.

In the case of Cy4gate, The motherboard was found in 2021 The company made WhatsApp applications fake to deceive goals to install its spyware.

There are many items that refer to Sio as a company behind spyware. Lookout found that some of Driving and control servers The use of harmful programs was recovered to control the malware of a company called Asigint, which is a subsidiary of Sio, according to public provision SIO document From 2024, which ASIGINT says it develops programs and services related to computer cleaning.

Legal intersection Academy, an independent Italian organization that issues compliance certificates for spyware work in the country, SIO is like a certificate holder For spyware product called Sioagent and lists Asigint as the owner of the product. In 2022, the intelligence of the published online monitoring and intelligence I mentioned Sio has gained asignt.

Michelle Fiorentino is the CEO of ASIGINT, based in the Italian city of Casta, outside Napoli, according to his profile LinkedIn. Fiorentino says he worked on the “Spyrtacus project” while in another company called Dataforense between February 2019 and February 2020, which means that the company participated in developing spyware.

Another server is registered with spy tools in Dataforense, according to Lookout.

Dataforense and Fiorentino did not respond to the request to comment via email and LinkedIn.

According to Lookout and other unveiled cyber security company, there is a series of source code in one of the samples of Spyrtacus that indicates developers who are likely to be from the Napoli region. The source code includes the phrase, “Scetáteve Guagliune ‘e maavita”, a phrase in the Napoli accent that is almost translated into “Wake up Boys of the Underworld”, which is part of the lyrics of traditional songs Napoli song “Gupparia.”

This will not be the first time that Italian spyware makers have left the effects of their assets on their spyware. In the case of Esurv, Spyware maker is now over from the southern region of Calabria She was exposed to her developers in the “Mondizza” spyware symbol, the word Calabrian for garbage, as well as referring to the name of the soccer player Calabrian, Gennaro Gattuso.

While these are simple details, all signs indicate that they are behind these spyware. But the questions about the campaign, including the government agent who was behind the use of Spytacus Spyware, and against it.