WhatsApp has notified around 200 users, primarily in Italy, that they were tricked into installing a fake version of the messaging app. The fake software was developed by SIO, an Italian surveillance technology company that develops spyware for law enforcement and intelligence agencies through its subsidiary ASIGINT. WhatsApp said it is proactively identifying affected users, removing them from their accounts, warning them of privacy risks and urging them to uninstall the fake client and install the official app from a trusted source. The company told TechCrunch that it also plans to send a formal legal request to the SIO to stop any malicious activity related to the campaign.
The statement, first reported by Italian newspaper La Repubblica and news agency ANSA, is the second time in less than a year that WhatsApp has publicly named a spyware vendor operating against its users in Italy. In early 2025, WhatsApp warned about 90 users, including journalists and pro-immigration activists, that they had been targeted by the US-Israeli surveillance company Paragon Solutions. This statement caused a political crisis in Rome. The Italian parliament’s intelligence oversight committee, COPASIR, confirmed the use of Graphite and identified seven Italians as targets. Paragon cut ties with Italy’s spy agencies after the government refused to verify whether the spyware was used against a specific journalist, Francesco Cancellato of the news website Fanpage.
SIO’s spyware works through a different model. The malware, identified in its code as Spyrtacus, is embedded in fake programs designed to look like legitimate software. The researchers found 13 different Spyrtacus specimens dating back to 2019, with the most recent dating back to late 2024. Previous versions mimicked the Android apps of Italian mobile providers TIM, Vodafone and WINDTRE, as well as earlier fake versions of WhatsApp itself. TechCrunch first exposed SIO’s Android distribution campaign in February 2025. The latest operation targeting iPhones represents an expansion of the tactic across Apple’s ecosystem. Once installed, Spyrtacus can steal text messages, chat histories, and call logs, as well as record audio and video directly from the device’s microphone and camera.
The delivery mechanism is as obvious as the malware itself. In Italy, authorities routinely get the cooperation of mobile operators who send phishing links to their customers on behalf of law enforcement. The target receives what appears to be a regular update notification from their provider, directing them to install what looks like a standard WhatsApp update. Italy’s Justice Ministry has maintained a price list and catalog showing how authorities can compel telecom companies to send such messages, a system that turns the mobile network itself into a distribution channel for state surveillance tools. The rental price of spyware in Italy is extremely low: from the end of 2022, law enforcement agencies can acquire these tools for up to 150 euros per day, without the huge initial purchase costs that usually limit deployment in other countries.
Italy’s position as a center for spyware is unusual among Western democracies. Companies including Hacking Team, Cy4Gate, RCS Lab, and Raxir all operate in a country designed with a legal framework that effectively provides a formal legal basis for “captatore informatico,” or computer interceptor, state-sanctioned trojan software. Fabio Pietrosanti, president of Hermes Center for Transparency and Digital Human Rights, said this. Spyware is deployed more frequently in Italy than anywhere else in Europe because the low cost and permissive regulation make it available to a wider range of law enforcement agencies than in neighboring countries. The result is an ecosystem where not only national intelligence agencies but municipal police forces can conduct surveillance operations against individuals.
WhatsApp spokeswoman Margarita Franklin told TechCrunch that the company could not yet confirm whether journalists or members of civil society were among the 200 affected users. “Our priority is to protect users who have been tricked into downloading this fake iOS app,” he said. The company did not specify whether it has submitted the matter to the Italian prosecutor’s office or any regulatory body. Apple and SIO did not respond to requests for comment.
The legal landscape surrounding commercial spyware has changed significantly over the past year. In May 2025, a California jury ordered NSO Group, the Israeli maker of Pegasus, to pay $167 million in damages to WhatsApp, which hacked nearly 1,400 users through zero-click attacks. A federal judge later reduced the award to $4 million, but barred the NSO from targeting WhatsApp’s infrastructure. NSO appealed. WhatsApp’s parent company Meta described the ruling as a landmark case and has since expanded its legal strategy against the wider surveillance industry. The official legal requirement that WhatsApp intends to send the SIO follows the same pattern: use lawsuits and public disclosures as a deterrent against companies that profit from breaching encrypted messaging platforms.
The proliferation of spyware vendors creates a problem that goes far beyond any one platform. Since 2021, Apple has been sending threat notifications about mercenary spyware to users in more than 150 countries, alerting those it believes have been individually targeted by state-sponsored attacks. In April 2025, Apple notified Italian journalist Ciro Pellegrino, one of Paragon’s victims, that he had been targeted. Notification systems run by Apple and WhatsApp are now the primary mechanism for victims of government surveillance to learn they have been compromised. specialist researchers in the cyber security industry.
The global legal takeover market is estimated to be worth $4 billion in 2023 and is projected to grow nearly 16 percent annually to reach $15 billion by 2032. This growth is being driven by the type of low-cost, phishing-based tools that SIO sells, not Pegasus-style zero-click exploits that grab headlines. The barrier to entry for government surveillance has fallen to the point where a local police department in a medium-sized Italian city can deploy the same class of spyware once protected by national intelligence agencies. The gap between regulatory ambitions and enforcement capacity In Europe, it means that the legal frameworks governing these instruments are not keeping up with the speed of their adoption.
It is the method that distinguishes the SIO case from the Paragon scandal. Paragon’s Graphite used zero-click exploits that required no action from the target. SIO’s Spyrtacus requires the target to install fake software, a social engineering approach based on trust in the carrier and familiarity with daily software updates. The involvement of Italian telecoms in the delivery chain by sending phishing messages to their subscribers at the request of the state makes the mobile infrastructure itself a surveillance tool. It’s one thing for the government to hack the phone. It’s another thing for the phone company to help.
WhatsApp’s decision to publicly name SIO and inform affected users is as follows a broader pattern of tech platforms asserting themselves as counterweights to state control in ways that were unimaginable ten years ago. The company doesn’t just fix the vulnerability. It identifies the seller, alerts victims and threatens legal action, positioning the Meta-owned messaging app as a check on government spyware abuse more effectively than any European regulator has been able to date. Whether this dynamic is reassuring or alarming depends on your view of where the responsibility to protect citizens from their own government ultimately rests.
For the 200 users in Italy who received WhatsApp’s notification, the immediate question is narrower: who authorized the surveillance, and on what legal basis? The answer can never be public. Italy’s legal intervention framework allows for the use of these tools under judicial supervision, but oversight mechanisms has been repeatedly proven inadequate to prevent abuse. The Paragon scandal showed that intelligence agencies can target journalists and activists under the guise of legitimate authority. The SIO case shows that the problem runs deeper, extending to a distribution model that exploits lesser-known vendors, cheaper tools and citizens’ trust in mobile operators. The spyware industry doesn’t need a zero-click exploit to be dangerous. All you need is a convincing notification from your phone company.
