Spyrtacus Italian Government spyware can steal text messages, as well as chats from Facebook Messenger, Signal, and WhatsApp

Italian spyware developer SIO has been linked to a series of malicious Android applications designed to steal private data from users, including text messages and chats from popular messaging platforms like WhatsApp, Signal, and Facebook Messenger. This revelation, reported by TechCrunch, comes amid ongoing concerns over the use of sophisticated government spyware in Italy.

Last year, a security researcher alerted TechCrunch to three suspicious Android apps that were suspected to be government spyware targeting unidentified individuals. Following analysis by Google and mobile security firm Lookout, it was confirmed that these apps contained spyware.

The spyware, identified as Spyrtacus, uses tactics such as impersonating popular applications and customer support tools from major mobile providers. Lookout’s analysis revealed that Spyrtacus possesses capabilities characteristic of government spyware, including the ability to steal messages, exfiltrate contacts, record phone calls, capture ambient audio, and take images through the device’s cameras, as well as chats from Facebook Messenger, Signal, and WhatsApp.

The spyware’s origins trace back to SIO, an Italian company that supplies spyware to the Italian government. With the apps and distribution websites primarily in Italian, it is likely that Italian law enforcement agencies have employed this spyware.

Lookout’s researcher, Kristina Balaam, discovered 13 different samples of Spyrtacus in the wild, with the oldest sample dating back to 2019. Some of these samples impersonated apps from Italian telecom providers TIM, Vodafone, and WINDTRE. Google stated that no apps containing this malware are available on the Google Play store, emphasizing that Android has had protections against it since 2022.

Additionally, Kaspersky reported that the distribution of Spyrtacus began on Google Play in 2018 but transitioned to malicious websites in 2019. There are also indications of versions for Windows, iOS, and macOS. The exact targets of this spyware remain unclear.