A new spyware operation has been uncovered involving fake Android applications used to secretly install surveillance malware on targeted devices, according to a report by Italian digital rights group Osservatorio Nessuno. The spyware, named Morpheus by researchers, is allegedly linked to a long-established surveillance technology company and highlights the growing global demand for government-grade monitoring tools.
The report, published on April 24, 2026, states that Morpheus disguises itself as a legitimate phone update application. Once installed, it is capable of extracting extensive data from an infected Android device, effectively turning it into a surveillance tool controlled by operators.
Researchers say the operation reflects a wider trend in which multiple spyware vendors operate in a largely opaque ecosystem, supplying tools to government agencies and law enforcement bodies with varying levels of oversight.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Fake update trap used for infection
Unlike advanced “zero-click” spyware systems that exploit software vulnerabilities silently, Morpheus relies on a more basic infection technique. Targets are reportedly tricked into manually installing the malicious application after receiving deceptive instructions.
In the documented case, telecom infrastructure was allegedly used as part of the attack chain. The target’s mobile data was reportedly restricted by the provider, followed by an SMS message instructing them to install an app to restore connectivity. The app, however, contained spyware functionality.
Security researchers noted that this method is not new and has been seen in multiple surveillance campaigns, particularly involving so-called “lawful interception” operations.
Once installed, Morpheus abuses Android accessibility permissions, allowing it to read on-screen content, interact with apps, and extract sensitive information. It is also designed to display fake system prompts, including update screens, to maintain deception while operating in the background.
WhatsApp impersonation and biometric trick
The malware reportedly escalates its control by spoofing trusted applications, including WhatsApp. Victims are shown fake prompts requesting biometric authentication under the guise of identity verification.
In reality, this action reportedly allows the spyware to link a new device to the victim’s WhatsApp account, granting full access to communications. Similar tactics have previously been observed in spyware campaigns targeting messaging platforms in multiple countries.
Alleged link to surveillance company IPS
Researchers attribute the spyware to IPS, an Italian company that has operated in the surveillance technology sector for over three decades. According to the findings, infrastructure analysis revealed an IP address associated with “IPS Intelligence Public Security,” suggesting a technical connection to the operation.
The company is known for providing lawful interception tools to government clients, allowing real-time monitoring of communications through telecom networks. While IPS reportedly operates in more than 20 countries, it has not publicly confirmed involvement in spyware development, and did not respond to requests for comment.
Investigators also identified Italian-language code fragments within the malware, including references to cultural terms and slang. Such linguistic markers have been observed in previous spyware campaigns attributed to Italian surveillance vendors.
Pattern of Italian spyware ecosystem
The report places Morpheus within a broader ecosystem of Italian surveillance companies that have emerged in recent years, following the decline of earlier firms in the sector. Multiple vendors have been publicly linked to spyware development targeting mobile devices, often marketed under lawful interception frameworks.
Previous research has identified several companies operating in this space, including CY4GATE, eSurv, RCS Lab, and others, many of which have faced scrutiny over their tools being used in targeted surveillance operations.
Experts say the expansion of such vendors indicates a growing commercial market for surveillance technologies that operate in a legal grey zone, particularly when deployed through third-party contractors or government procurement channels.
Targeting political activity
Security researchers believe the Morpheus spyware campaign may have been used against individuals involved in political activism in Italy. However, specific victim identities have not been publicly disclosed.
A cybersecurity analyst reviewing the findings stated that the malware demonstrates how modern surveillance operations increasingly rely on social manipulation rather than purely technical exploitation.
Rising concerns over mobile surveillance
The discovery adds to growing concerns about the widespread availability of commercial spyware tools capable of compromising smartphones. Experts warn that the combination of fake applications, telecom manipulation, and accessibility abuse makes such attacks difficult for average users to detect.
The researchers emphasized that Android’s accessibility features, while designed to support users with disabilities, are increasingly being exploited as a powerful surveillance vector when misused by malicious software.
As investigations continue, cybersecurity experts caution that similar spyware campaigns may already be active in other regions, often remaining undetected until forensic analysis reveals their presence.
