A newly uncovered spyware operation is drawing attention for its unusually coordinated blend of telecom interference and social engineering, enabling attackers to compromise Android devices through what appears to be a legitimate system update process. The malware, identified by researchers as Morpheus, has been linked to a broader ecosystem of commercial surveillance tools and is raising renewed concerns about the overlap between state-aligned intelligence work and private spyware vendors.
The operation was detailed in a report published on April 24 by the Italian digital rights group Osservatorio Nessuno and first reported by TechCrunch. Researchers describe Morpheus as a “low-cost” spyware platform that does not rely on sophisticated zero-click vulnerabilities. Instead, it depends on carefully orchestrated user manipulation—augmented, critically, by interference from mobile network providers.
Coordinated infection chain involving telecom disruption
Unlike high-end surveillance tools such as NSO Group’s Pegasus, Morpheus requires victims to actively install a malicious Android application. However, the process is engineered to appear necessary and urgent.
According to the findings, the attack begins when a target’s mobile data service is intentionally disabled, allegedly in coordination with telecom operators and authorities. This disruption leaves the device unable to access normal online services. Shortly afterward, the user receives an SMS message instructing them to install an application in order to restore connectivity or complete a required phone update.
The app is, in reality, the spyware payload.
Once installed, Morpheus exploits Android’s accessibility permissions—features designed to assist users with disabilities but often abused by malware—to monitor screen content and interact with other applications. The software then presents a counterfeit system update interface, followed by prompts to reboot the device, reinforcing the illusion of a legitimate system process.
WhatsApp takeover through biometric deception
After reboot, the spyware escalates its control by impersonating the interface of WhatsApp. Victims are prompted to complete what appears to be a routine biometric verification step. In reality, this interaction authorizes the addition of a new linked device to the user’s WhatsApp account.
That single action effectively grants the spyware full access to private messages, contacts, and ongoing conversations, enabling persistent surveillance without further user awareness.
Researchers also noted that the malware contains Italian-language code fragments and culturally specific references, suggesting development origins or operational ties consistent with other surveillance tools previously attributed to Italian cyber intelligence contractors.
Links to Italian surveillance industry under scrutiny
The spyware has been associated in research findings with IPS, an Italian firm with decades of experience in lawful interception technologies marketed to law enforcement and intelligence agencies across more than 20 countries.
IPS has not publicly responded to the specific allegations. However, the company operates within a broader and increasingly scrutinized Italian surveillance sector that includes firms such as CY4GATE, eSurv, RCS Lab, and SIO. Several of these companies have previously faced exposure over spyware deployments targeting individuals across political and civil society groups.
In a separate development earlier in April 2026, WhatsApp reportedly notified around 200 users that they had been targeted with spyware linked to SIO, underscoring the scale and persistence of such operations.
Targeting concerns and operational implications
While specific victims of Morpheus have not been publicly identified, researchers believe the spyware has been deployed against political activists and individuals of strategic interest. The combination of telecom-level interference and deceptive installation tactics marks a notable escalation in commercial spyware tradecraft, blurring the boundary between traditional cyber intrusion and coordinated infrastructure manipulation.
Risks for Android users
Security analysts emphasize that Morpheus does not spread through official app marketplaces such as the Google Play Store and cannot install itself without user action. The infection relies entirely on victims installing an external Android application package (APK), often under perceived urgency.
Users are advised to treat unsolicited SMS messages—particularly those instructing them to install software after sudden loss of mobile service—as potential indicators of compromise. Experts also warn against granting accessibility permissions to unverified applications, noting that such access can provide near-complete control over a device.
The emergence of Morpheus comes amid a broader wave of mobile-targeted espionage activity, including recent reports of attackers impersonating IT support staff on enterprise communication platforms such as Microsoft Teams to deploy custom malware inside corporate networks.