Spyware Maker Distributes Malicious Android Apps - Years of Activity

Italian Spyware Firm SIO Linked to Malicious Android Apps

An Italian company specializing in surveillance technology, SIO, has been identified as the source of several malicious Android applications. These apps, sold to governmental entities, deceptively mimic legitimate applications like WhatsApp to illicitly gather private data from targeted devices, as exclusively reported by TechCrunch.

Discovery of the Spyware

Late in the previous year, a security analyst provided TechCrunch with three Android applications suspected of being government-grade spyware deployed within Italy against unidentified individuals. Subsequent analysis by both Google and Lookout, a mobile security firm, confirmed the applications’ spyware capabilities.

This finding underscores the expansive nature of the governmental spyware landscape. It highlights both the increasing number of companies involved in spyware development and the diverse methods employed to target individuals.

Context of the Italian Spying Scandal

Italy is currently navigating a public controversy concerning the alleged utilization of a sophisticated spying tool developed by Paragon, an Israeli spyware manufacturer. This tool reportedly possesses the ability to remotely access WhatsApp communications and extract data from mobile phones. Allegations suggest its use against a journalist and founders of an NGO dedicated to assisting and rescuing migrants in the Mediterranean Sea.

In contrast to the advanced techniques employed by Paragon, the malicious app samples examined by TechCrunch represent a more conventional hacking approach. The spyware maker and its associated government client developed and disseminated fraudulent Android applications. These apps masqueraded as popular applications, including WhatsApp, and customer support services offered by mobile network operators.

Identifying the Spyware: Spyrtacus

Security researchers at Lookout have designated the Android spyware as “Spyrtacus,” a name derived from an older malware sample’s code that seemingly references the malware itself.

Lookout’s assessment identifies Spyrtacus as possessing characteristics consistent with government-sponsored spyware. Independent analysis by researchers from another cybersecurity firm, who requested anonymity, corroborated these findings. Spyrtacus is capable of intercepting text messages, extracting chat logs from platforms like Facebook Messenger, Signal, and WhatsApp, and collecting contact information.

Furthermore, the spyware can record phone conversations and ambient sounds through the device’s microphone, as well as capture images using the device’s cameras, all functionalities geared towards comprehensive surveillance.

SIO's Involvement Confirmed

According to Lookout, the Spyrtacus samples provided to TechCrunch, alongside previously analyzed samples, were all created by SIO, an Italian company that provides spyware solutions to the Italian government.

The Italian language used within the applications and on the websites used for their distribution strongly suggests potential deployment by Italian law enforcement agencies.

Requests for comment directed to a spokesperson for the Italian government and the Ministry of Justice went unanswered.

Targeting Remains Unclear

Currently, the specific individuals targeted by the spyware remain unknown, according to both Lookout and the independent security firm.

Lack of Response from SIO

SIO did not respond to multiple attempts to solicit a statement. TechCrunch also contacted SIO’s president and CEO, Elio Cattaneo, along with several senior executives, including CFO Claudio Pezzano and CTO Alberto Fabbri, but received no response.

Timeline and Distribution of Spyrtacus

Kristina Balaam, a Lookout researcher, stated that the company has identified 13 distinct samples of the Spyrtacus spyware currently circulating. The oldest sample dates back to 2019, with the most recent discovered on October 17, 2024. Additional samples were found between 2020 and 2022.

Balaam further noted that some of these samples impersonated applications from prominent Italian mobile providers: TIM, Vodafone, and WINDTRE.

Google's Response and Mitigation

Google spokesperson Ed Fernandez confirmed that, “based on our current detection, no apps containing this malware are found on Google Play.” He added that Android has implemented protections against this malware since 2022. Google characterized the campaign as “highly targeted.”

When questioned about the potential presence of older Spyrtacus versions on the Google Play Store, Fernandez indicated that this represents the extent of the company’s available information.

Kaspersky's Findings

A 2024 report by Kaspersky revealed that the developers of Spyrtacus initially distributed the spyware through applications on Google Play in 2018. However, by 2019, they shifted to hosting the apps on malicious websites designed to resemble leading Italian internet service providers. Kaspersky’s researchers also uncovered a Windows variant of Spyrtacus and identified indications of potential malware versions for iOS and macOS.

Pizza, pasta, and surveillance software

For two decades, Italy has been a prominent location for companies specializing in the development of government spyware. SIO represents the newest addition to a considerable number of spyware developers whose products have been documented by security experts as actively targeting individuals globally.

The foundation of Hacking Team in 2003, established by Italian hackers David Vincenzetti and Valeriano Bedeschi, marked a pivotal moment. They were among the first to identify a global demand for readily deployable, user-friendly spyware systems intended for use by law enforcement and governmental intelligence organizations worldwide.

Hacking Team subsequently marketed its spyware to agencies in nations including Italy, Mexico, Saudi Arabia, and South Korea, among others.

Over the past ten years, numerous other Italian firms engaged in the sale of spyware have been identified, such as Cy4Gate, eSurv, GR Sistemi, Negg, Raxir, and RCS Lab.

Certain companies employed distribution methods for their spyware that mirrored those used with the Spyrtacus spyware. A 2018 investigation conducted by Motherboard Italy revealed that Italy’s justice ministry possessed a price list and catalog detailing how authorities could compel telecommunications providers to dispatch malicious text messages to targets.

The intent behind these messages was to deceive recipients into installing harmful applications, often disguised as necessary for maintaining phone service functionality.

In the instance of Cy4Gate, Motherboard discovered in 2021 that the company had created fraudulent WhatsApp applications to induce targets into installing its spyware.

Several indicators suggest SIO’s involvement with the spyware. Lookout’s findings indicate that command-and-control servers utilized for remote malware control were registered to ASIGINT, a subsidiary of SIO. This information is corroborated by a publicly accessible SIO document from 2024, which states that ASIGINT specializes in the development of software and services related to computer interception.

The Lawful Intercept Academy, an Italian organization providing compliance certifications to spyware vendors operating within the country, lists SIO as the certificate holder for SIOAGENT, with ASIGINT identified as the product’s owner. Intelligence Online reported in 2022 that SIO had acquired ASIGINT.

Michele Fiorentino, the CEO of ASIGINT, is located in Caserta, Italy, near Naples, as per his LinkedIn profile. Fiorentino indicates he contributed to the “Spyrtacus Project” while employed at DataForense between February 2019 and February 2020, suggesting the company’s participation in the spyware’s development.

Lookout also identified a command and control server linked to the spyware as being registered to DataForense.

Requests for comment sent via email and LinkedIn to DataForense and Fiorentino went unanswered.

Both Lookout and an additional, unnamed cybersecurity firm have identified a code string within one of the Spyrtacus samples that suggests the developers may originate from the Naples area. The code includes the phrase “Scetáteve guagliune ‘e malavita,” a Neapolitan dialect expression translating to “wake up boys of the underworld,” taken from the lyrics of the traditional Neapolitan song “Guapparia.”

This is not the first instance of Italian spyware developers embedding traces of their origins within their software. In the case of eSurv, a now-defunct spyware developer from Calabria exposed for infecting the phones of innocent individuals in 2019, developers included the word “mundizza,” the Calabrian term for garbage, and a reference to the Calabrian footballer Gennaro Gattuso in the spyware code.

While these are relatively minor details, the evidence strongly indicates SIO’s responsibility for this spyware. However, crucial questions remain regarding the campaign, including the identity of the government client behind the deployment of the Spyrtacus spyware and the specific targets of the surveillance.