- Spyware maker SIO suspected of being behind ‘Spyrtacus’, a not-so new spyware
- It was previously found on Google Play but now largely on phishing websites
- A convincing paper trail links Spyrtacus back to SIO and a subsidiary
At least three Android apps have been identified as being spyware, and researchers believe that developer SIO, which sells its products to the Italian government, is responsible.
In late 2024, an anonymous security researcher raised its concerns about the apps with TechCrunch, who then forwarded the concerns to Google and cybersecurity firm Lookout; which both confirmed the apps in question, which purported to be popular apps like WhatsApp, and support services for phone carriers, were spyware.
Lookout identified the spyware as ‘Spyrtacus’, with reference to the malware itself being found in the code. Both it and a second cybersecurity firm that asked not to be named found that Spyrtacus could steal texts, chats, calls, and contacts, as well as record ambient audio and imagery directly from a device’s microphones and cameras.
SIO’s Spyrtacus spyware
Connecting SIO to Spyrtacus is a convoluted paper trail, but it can be done. Per the researchers TechCrunch spoke with, a number of command-and-control (C2) servers were linked to former startup ASIGINT, now a known subsidiary of SIO that’s directly involved in producing “computer wiretapping” software (PDF, originally in Italian). Italy’s Lawful Intercept Academy, which issues compliance certifications to spyware developers, lists SIO as the cert holder for a product, SIOAGENT, that ASIGINT owns.
Finally, ASIGINT CEO Michele Fiorentino confirmed on LinkedIn he worked on ‘Spyrtacus Project’ at another company linked to SIO’s C2 servers, DataForense.
Kristina Balaam, a researcher at Lookout, found 13 samples of Spyrtacus in total that dated from 2019 through to October 2024. However, Ed Fernandez, a Google spokesperson, was confident that “no apps containing this malware [can currently be] found on Google play”, and confirmed that its app store has had protection against Spyrtacus in place since 2022.
This may not have done much to slow the operation down; Kaspersky, an antivirus software company with its own fair share of controversy over privacy concerns, found in a 2024 report that Spyrtacus distribution had largely switched tack from Google Play to fake but convincing imitations of Italian internet service provider (ISP) websites.
The Italian government already has harrowing form for enabling spyware manufacturers; back in February 2025, Israeli spyware developer Paragon Solutions cancelled its own contract with Italy’s government after being caught violating the ‘ethical framework’ set out in it by encroaching on the privacy of seven Italian citizens and several others across Europe.
It gets murkier when Italian telephone operators have been found actively practicing surveillance (originally in Italian) and being paid by the Italian justice ministry for their services, and that’s saying nothing of the prior two decades during which spyware companies like Hacking Team, Cy4Gate, RCS Lab and Raxir have called Italy home.
Leave a comment