The spy software manufacturer surprised the distribution of malicious Android applications for years

The spy software manufacturer surprised the distribution of malicious Android applications for years

Italian Spyware Maker Sio, known for selling its products government customersis at the origin of a series of malicious Androids applications which emerge as WhatsApp and other popular applications but steal private data from the device of a target, Techcrunch has learned exclusively.

At the end of last year, a security researcher shared three Android applications with Techcrunch, saying that they were probably government’s spy software used in Italy against unknown victims. Techcrunch asked Google and the mobile security company to analyze applications, and both confirmed that applications were spy software.

This discovery shows that the world of Government spyware is wide, both in the sense of the number of companies developing spy software, as well as the different techniques used to target individuals.

In recent weeks, Italy has been implied in a scandal in progress Implying the alleged use of a sophisticated espionage tool made by the Israeli spy software manufacturer Paragon. Spy software is able to target remotely Whatsapp users and steal data from their phones, and would have been used against a journalist And two founders From an NGO that helps and saves immigrants in the Mediterranean.

In the case of samples of malware shared with Techcrunch, the spy software manufacturer and its government client have used a pedestrian hacking technique: developing and distributing malicious Android applications that claim to be popular applications like WhatsApp and tools Customer support provided by mobile phone providers.

Lookout safety researchers concluded that the Android spy software shared with Techcrunch is called Spyrtacus, after finding the word in the code of an old malware sample that seems to refer to malware itself.

Lookout told Techcrunch that Spyrtacus had all the characteristics of government spy software. (Researchers from another cybersecurity company, who independently analyzed Techcrunch’s spy software but asked not to be appointed, have reached the same conclusion.) Spyrtacus can steal text messages, as well as Facebook cats Messenger, signal and WhatsApp; Information on exfiltrate contacts; Save phone calls and ambient audio via the device microphone and imaging via the camera cameras; Among other functions which serve surveillance objectives.

According to Lookout, Spyrtacus samples provided in Techcrunch, as well as several other malware samples that the company had previously analyzed, were all manufactured by SIO, An Italian company that sells spy software to the Italian government.

Since applications, as well as websites used to distribute them, are in Italian, it is plausible that spy software has been used by Italian law enforcement agencies.

A spokesperson for the Italian government, as well as the Ministry of Justice, did not respond to the request for comments from Techcrunch.

At this point, it is not clear that has been targeted with spy software, according to Lookout and the other security company.

Contact us

Do you have more information on SIO or other spy software manufacturers? From a device and a non-work network, you can contact Lorenzo Franceschi-Bicchiera safely on the signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or e-mail. You can also contact Techcrunch via Secure.

SIO did not respond to several requests for comments. Techcrunch also contacted the president and chief executive officer of SIO, Elio Cattaneo; And several senior executives, including its financial director Claudio Pezzano and the CTO Alberto Fabbri, but Techcrunch did not hear.

Kristina Balaam, researcher of Lookout who analyzed the malware, said that the company had found 13 different samples of the Spyrtacus spy software in the wild, with the oldest sample of malicious software dating from 2019 and the last sample dating from 17 October 2024. Other samples, added Balaam, were found between 2020 and 2022. Some of the samples approve imital applications manufactured by Italian mobile suppliers Tim, Vodafone and Windtre, said Balaam.

Google’s spokesperson Ed Fernandez said that “on the basis of our current detection, no application containing this malicious software is on Google Play”, adding that Android has allowed protection for this malware since 2022. Google said applications were used in a “highly targeted campaign targeted since 2022. Google. . “When they were asked if older versions of Spyrtacus spy software was on the Google App Store, Fernandez said it was all the information from the company.

Kaspersky said in A 2024 report That people behind Spyrtacus began to distribute spy software via applications in Google Play in 2018, but in 2019, it went to hosting applications on malicious web pages designed to resemble some of the best Internet suppliers Italy. Kaspersky said his researchers also found a Windows version of the Spyrtacus malware and have found signs that also indicate the existence of malware and macOS software versions.

A screenshot of a fake website designed to distribute a malicious version of WhatsApp for Android, which contains the Spyrtacus Spymetric Software.
A screenshot of a fake website designed to distribute a malicious version of WhatsApp for Android, which contains the Spyrtacus Spymetric Software.Image credits:Techcrunch

Pizza, spaghetti and spy software

Italy has had some of the first spy software companies in the world government has for two decades. SIO is the last of a long list of spy software manufacturers whose products have been observed by safety researchers as actively targeting people in the real world.

In 2003, the two Italian pirates David Vincenzetti and Valeriano Bedeschi founded the Piracy of Startup, one of the first companies to recognize that there was an international market for key spymmetrical software systems in the world . The hacking team then sold its spy software to agencies in Italy, Mexico, Saudi Arabia and South Korea, among others.

Over the past decade, security researchers have found several other Italian companies selling spy software, especially Cy4gate,, esurv,, GRA systems,, department,, RagorAnd RCS laboratory.

Some of these companies had Spyware products that were distributed in the same way as Spyrtacus spy software. Italy of the motherboard found In a 2018 survey that the Italian Ministry of Justice had a price list and a catalog showing how the authorities can force telecommunications companies to send malicious text messages to the surveillance objectives in order to encourage the person to install a malicious application under the cover keep your telephone service active, for example.

In the case of cy4gate, Motherboard found in 2021 that the company has created false WhatsApp applications to encourage targets to install its spy software.

There are several elements that indicate SIO as a company behind spy software. Lookout found that some of the Command and control servers Used to remotely control malware has been recorded with a company called Asigint, a subsidiary of SIO, according to a SIO document From 2024, which says that ASIGINT develops software and services related to computer electronic listening.

The Lorgul Intercept Academy, an independent Italian organization that issues compliance certifications for spy software manufacturers operating in the country, lists SIO as a certificate holder For a Spyware product called sioagent and asigrant lists as product owner. In 2022, the publication of surveillance and intelligence of online intelligence intelligence reported that Sio had acquired asigrant.

Michele Fiorentino is the CEO of Asigint and is based in the Italian city of Caseta, outside Naples, according to his Linkedin profile. Fiorentino says he worked on “Spyrtacus Project” while he was in another company entitled Dataforsense between February 2019 and February 2020, which implies that the company was involved in the development of spy software.

Another ordering and control server associated with spy software is recorded on Dataforense, according to Lookout.

Dataforense and Fiorentino did not respond to a request for comments sent by e-mail and LinkedIn.

According to Lookout and the other nameless cybersecurity company, there is a series of source code in one of the Stepmaes of Spyrtacus which point to the potentially developers of the Naples region. The source code includes the words “scetáteve guagliune” e malavita “, a sentence in a Neapolitan dialect which results in roughly” awakening the boys of hell “, which is part of the words of the traditional Neapolitan song “Guapparia.”

It would not be the first time that Italian espion software manufacturers have led their origins in their spy software. In the case of ESurv, A spy software manufacturer now disappeared from the southern Calabria region Exhibited for having infected innocent phones in 2019, its developers left in the Espish software code the words “Mundizza”, the word Calabrian for garbage, as well as to refer to the name of the footballer Calabrian, Gennaro Gattuso.

Although it is minor details, all signs indicate that SIO is behind this spy software. But questions remain to be answered about the campaign, in particular which government customer was behind the Spyrtacus spy software and against whom.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

Chatgpt: everything you need to know about the chatbot propelled by AI
WhatsApp could soon allow users to directly pay invoices; Operation tested in this country
Trump wants a tiktok agreement, but China could always let it die
Ice will handle Google search results for “mass deportations”