Spyware Maker has caught distribution of malicious Android apps over the years

Italian spyware manufacturer SIO is known for selling its products to Government Customersposes as WhatsApp and other popular apps, but behind a set of malicious Android apps that steal private data from targeted devices, TechCrunch is learning exclusively.

Late last year, security researchers shared three Android apps with TechCrunch, claiming it is likely government spyware used against unknown victims in Italy. TechCrunch asked Google and mobile security company Lookout to analyze the app, both of which confirmed that the app was spyware.

This discovery shows the world of Government spyware It’s broad in both the number of companies developing spyware and the various techniques used to target individuals.

In recent weeks, Italy has I got caught up in Ongoing scandals Including allegations of using sophisticated spy tools created by Israeli spyware manufacturers Paragon. Spyware can be remotely targeted WhatsApp User It is said that data was stolen from a mobile phone and was used. For journalists and two Founder An NGO that helps and rescues Mediterranean immigrants.

For malicious apps shared with TechCrunch, Spyware Maker and its government customers used more pedestrian hacking technology. Development and distribution of malicious Android apps that pretend to be popular apps like WhatsApp, as well as customer support tools provided by mobile phone providers.

Security researchers at Lookout concluded that the Android spyware shared with TechCrunch is called Spyracus after finding the word in the code of an old malware sample that appears to refer to the malware itself.

Lookout told TechCrunch that Spyracus has all the features of government spyware. (A researcher from another cybersecurity company who independently analyzed TechCrunch’s spyware but asked not to name it, came to the same conclusion.) Spyrtacus stole text messages, Facebook Messenger, Signal, and you can steal chats from WhatsApp. exfiltrate contact information. Record the phone and surrounding audio through the device’s microphone, and the image through the device’s camera. Among other features that are useful for monitoring purposes.

According to Lookout, the Spyratacus samples provided to TechCrunch, as well as some other samples of malware previously analyzed by the company, were all created by SIO. Italian company selling spyware to the Italian government.

Given that the apps and the websites used to distribute them are in Italian, it is plausible that spyware was used by Italian law enforcement.

Italian government spokesman and the Ministry of Justice did not respond to TechCrunch’s request for comment.

At this point, it is unclear who targeted the spyware, according to Lookout and other security companies.

SIO did not respond to multiple requests for comments. TechCrunch also contacted SIO President and CEO Elio Cattaneo. Several senior executives, including CFO Claudio Pezzano and CTO Alberto Fabbri, TechCrunch did not respond.

Kristina Balaam, a Lookout researcher who analyzed the malware, found that the company discovered 13 different samples of Spyracus Spyware in the wild, the latest example, malware samples, dating back to 2019 and back to October 17, 2024. said they found 13 different samples. Other samples added by Balaam were discovered between 2020 and 2022. Some samples are apps that impersonate apps created by Italian mobile phone providers Tim, Vodafone and Windtor, Balaam said.

“According to current detections, no apps containing this malware will be found on Google Play,” said Google spokesman Ed Fernandez, which has enabled Android to protect the malware since 2022. He added. . Asked if an older version of Spyracus Spyware is available in Google’s App Store, Fernandez said this is all the information the company has.

Kaspersky said Report for 2024 The people behind Spyracus began distributing Spyware through the Google Play app in 2018, but by 2019, they were on malicious web pages that were created to look like the top internet providers in Italy. I switched to hosting the app. According to Kaspersky, researchers also discovered Windows versions of Spyracus malware, and found signs pointing to the existence of malware versions of iOS and MacO.

Pizza, Spaghetti, Spyware

For 20 years, Italy has hosted some of the world’s early government spyware companies. SIO is the latest list of long lists of spyware manufacturers who have observed by security researchers that their products are actively targeting people in the real world.

In 2003, two Italian hackers David Vincenzetti and Valeriano Bedeschi have an international market for turnkey, easy to use, turnkey, easy to use spyware systems for law enforcement and government intelligence agency. It established a startup hacking team, one of the first companies to recognize. all over the world. The hacking team sold spyware to agents in Italy, Mexico, Saudi Arabia and South Korea, among other things.

Over the past decade, security researchers have discovered that they have sold several other Italian companies, including spyware. cy4gate, Esurv, GRA System, Negar, madmanand RCS Lab.

Among these companies were spyware products distributed in a similar way to Spyracus spyware. Motherboard Italy has been discovered In a 2018 survey The Italian Ministry of Justice shows that there is a catalogue that shows how authorities can force telecom companies to send malicious text messages to surveillance targets. .

In the case of cy4gate, Motherboards found in 2021 The company created a fake WhatsApp app, tricked the target and installed spyware.

There are several factors that refer to SIO as the company behind spyware. Lookouts discovered a few things Command and Control Server The one used to remotely control malware was registered with a company called Asigint, a subsidiary of SIO, according to the publicly available publication. SIO Documentation Asigint has been developing software and services related to computer eavesdropping since 2024.

Legal Intercept Academy, an independent Italian organization that issues compliance certifications for spyware manufacturers operating domestically; List SIO as certificate owner For spyware products called Sioagent, we list Asigint as the product owner. 2022, Monitoring and Information Transaction Publishing Intelligence Online It has been reported Shio acquired Asigint.

Michele Fiorentino is CEO of Asigint and is based in Caserta, an Italian city outside of Naples, according to her LinkedIn profile. Fiorentino said it had been working on the “Spyratus Project” with another company called DataForense from February 2019 to February 2020, implying that the company was involved in the development of Spyware.

According to Lookout, another command and control server associated with the spyware is registered with DataForense.

Dataforense and Fiorentino did not respond to requests for comments sent by email and LinkedIn.

According to Lookout and other unnamed cybersecurity companies, one of the Spyracus samples has a set of source code that points to potential developers from the Naples region. The source code contains the phrase “Scetáteve Guagliune ‘e Malavita.” This is a phrase from the Naples dialect that is roughly translated into “Umeup of the Underworld.” This is part of the traditional lyrics. Naples’ Song “Guaparia.”

This is not the first time an Italian spyware manufacturer has left a trace of their origins on spyware. In the case of ESURV, A now-deprecated spyware manufacturer from the southern part of Calabria The developer, exposed in 2019 for innocent people’s mobile phones, refers to the word “mundizza,” the rubbish Calabrian word, and the name of Calabrian footballer Gennaro Gatuso in his spyware code. did.

These are slight details, but all the signs point to the fact that SIO is behind this spyware. However, no one has been able to answer any questions about the campaign, whether which government customers were behind in using Spyracus Spyware.