 |
| Morpheus Android spyware uses fake update apps and telecom provider cooperation to hijack WhatsApp accounts. |
Imagine your phone suddenly losing its data connection. Frustrated, you receive a text message from what looks like your carrier: “Install this update to restore your service.” You tap the link, install the app, and just like that—you’ve installed spyware. But here’s the terrifying part: your mobile network operator deliberately cut you off to make you do it.
A newly exposed surveillance operation is using exactly this trick. Researchers have discovered a low-cost but highly invasive spyware named Morpheus, which requires active cooperation from the victim’s own telecom provider to work. The findings were published in a report on April 24 by the Italian digital rights organization Osservatorio Nessuno, a non-profit dedicated to defending privacy and online freedoms, and first reported by TechCrunch.
How the Infection Actually Works
Morpheus isn’t in the same league as NSO Group’s Pegasus or Paragon Solutions—it doesn’t need zero-click exploits or invisible hacking. Instead, it relies on a brazen form of social engineering that pulls the strings from the top down.
Here is the step-by-step breakdown of the attack:
- The Shutdown: A law enforcement agency or government client asks a telecom provider (with whom they have a formal agreement) to block the target’s mobile data.
- The Bait: With their data dead, the target receives an SMS instructing them to install an app to “restore connectivity” and “update their phone.”
- The Install: The victim, wanting their internet back, manually installs the APK from outside the Google Play Store. That file is Morpheus.
- The Takeover: Once installed, Morpheus abuses Android’s accessibility permissions—the same feature designed to help people with disabilities—to read everything on the screen and interact with other apps.
After rebooting (the spyware fakes a system update screen to make this feel normal), Morpheus pulls its most clever move. It spoofs the WhatsApp login interface and asks for biometric verification, claiming a routine account check is needed. When the victim taps their fingerprint or face ID, they unknowingly authorize the spyware to add a new device to their WhatsApp account. Suddenly, the attacker has full, live access to all messages and contacts.
Researchers also noted Italian-language code fragments and cultural references inside the malware, matching patterns seen in other Italian spyware campaigns.
Who Is Behind Morpheus?
According to Osservatorio Nessuno, the spyware is linked to IPS, an Italian company with over 30 years of experience providing lawful interception technology to police and intelligence agencies. IPS operates in more than 20 countries and lists several Italian police forces among its clients.
While specific targets weren’t disclosed, researchers believe Morpheus was used to monitor political activists. This discovery adds IPS to a growing rogue’s gallery of Italian surveillance vendors exposed in recent years, including CY4GATE, eSurv, RCS Lab, and SIO. The trend is alarming: just this month (April 2026), WhatsApp notified 200 users that they had installed a fake version of the app containing spyware linked to SIO.
For a deeper dive into the technical findings and the organization behind this research, visit Osservatorio Nessuno’s official site. You can also read the full breaking coverage on TechCrunch’s report.
What Android Users Need to Know Right Now
The good news is that Morpheus cannot spread through the Google Play Store, nor can it install itself silently. The attack fails if you refuse to install unknown apps.
Here are three concrete steps to protect yourself:
- Treat unexpected “carrier updates” with deep suspicion. If you lose mobile data and instantly get a text asking you to install an APK, do not do it.
- Never grant Accessibility permissions to an app that arrived via a text message link. These permissions are extremely powerful and effectively hand over control of your device.
- Use official channels. If you suspect a real network issue, contact your carrier directly via their official customer support number or visit a physical store.
In related security news, a separate threat group was recently caught impersonating IT helpdesk staff on Microsoft Teams to deploy custom malware on enterprise networks. The methods change, but the rule remains the same: if someone pressures you to install something, slow down and verify first.
In brief:
- Spyware name: Morpheus
- Method: Carrier shuts off data, sends SMS with fake update link
- Targets: Android users, primarily political activists in Italy
- Attribution: IPS (Italian lawful interception company)
- Defense: Never install APKs from SMS links; avoid granting Accessibility access.