SIO, an Italian developer of spyware that typically caters to government clients, has reportedly been linked to a series of malicious Android applications masquerading as genuine platforms like WhatsApp, aimed at illicitly accessing sensitive data from users’ devices, as revealed by exclusive reports from TechCrunch.
In late 2022, a cybersecurity researcher provided TechCrunch with three Android applications suspected to be governmental spyware employed in Italy against unidentified individuals. TechCrunch subsequently engaged Google and mobile security company Lookout to investigate these apps, both affirming their classification as spyware.
This revelation underscores the vast landscape of governmental spyware, characterized not only by a multitude of firms involved in its development but also by diverse methodologies employed to target individuals.
Recent weeks have seen Italy embroiled in a controversy surrounding the alleged utilization of an advanced surveillance tool from the Israeli company Paragon. This spyware reportedly targets WhatsApp users remotely to extract data, with claims that it was deployed against journalists and NGO founders who assist migrants in the Mediterranean region.
In contrast to the sophisticated hacking methods employed in other cases, the forms of malware shared with TechCrunch utilized a more conventional approach: creating and distributing harmful Android applications disguised as widely-used services like WhatsApp and customer support utilities from mobile service providers.
After analyzing the malware samples, Lookout identified the spyware as Spyrtacus, discovering a reference to the term embedded within the code of an earlier malware iteration.
Lookout informed TechCrunch that Spyrtacus exhibits telltale signs of government-oriented spyware. (A different cybersecurity firm that conducted an independent analysis of the malware for TechCrunch—though chose to remain unnamed—reached a similar conclusion.) Spyrtacus has capabilities to extract text messages and conversations from platforms including Facebook Messenger, Signal, and WhatsApp, along with access to contact information, recording phone calls, capturing ambient sounds via the device’s microphone, and acquiring images through the device’s cameras, among other monitoring functionalities.
According to Lookout, the samples of Spyrtacus examined by TechCrunch, along with several previously scrutinized instances, can all be traced back to SIO, an Italian entity that supplies spyware to the Italian government.
In light of the Italian language utilized in both the applications and their distribution websites, it is likely that this spyware was deployed by Italian law enforcement agencies.
A representative from the Italian government and the Ministry of Justice did not respond to TechCrunch’s request for comments.
At this stage, it remains unclear who the specific targets of the spyware were, according to Lookout and the unnamed security firm.
Contact Us
If you possess further insights about SIO or similar spyware manufacturers, please reach out to Lorenzo Franceschi-Bicchierai securely via Signal at +1 917 257 1382, or through Telegram and Keybase @lorenzofb, or via email. Additionally, you can contact TechCrunch through SecureDrop.
SIO did not respond to multiple inquiries for comment. TechCrunch also reached out to Elio Cattaneo, the president and CEO of SIO, as well as other senior executives, including CFO Claudio Pezzano and CTO Alberto Fabbri, but received no response.
Kristina Balaam, a researcher with Lookout who assessed the malware, revealed that the company discovered 13 distinct samples of the Spyrtacus spyware in active use, with the earliest sample traced back to 2019 and the latest one identified on October 17, 2024. Balaam stated that additional samples were identified between 2020 and 2022, with some impersonating applications created by Italian telecom providers TIM, Vodafone, and WINDTRE.
Google’s spokesperson Ed Fernandez mentioned that “as of our latest detection, no applications harboring this malware have been found on Google Play,” adding that Android has implemented measures to guard against this malware since 2022. They characterized the apps as part of a “highly targeted campaign.” Upon inquiry about the presence of earlier versions of the Spyrtacus spyware on Google’s app store, Fernandez only reiterated the statements provided.
In a 2024 report, Kaspersky indicated that the developers behind Spyrtacus began distributing the spyware through Google Play in 2018 but transitioned by 2019 to hosting the apps on malicious websites designed to resemble those of leading Italian internet service providers. Kaspersky also identified a Windows variant of the Spyrtacus malware and gathered evidence of corresponding malware versions for iOS and macOS.
Pizza, Spaghetti, and Spyware
Italy has long been a breeding ground for some of the world’s early governmental spyware firms. SIO joins a lengthy roster of spyware developers whose tools have been documented by cybersecurity experts as actively targeting individuals globally.
In 2003, Italian hackers David Vincenzetti and Valeriano Bedeschi established Hacking Team, one of the pioneering companies to acknowledge the international demand for easy-to-use, full-service spyware solutions for law enforcement and governmental intelligence agencies worldwide. Hacking Team subsequently sold its spyware to agencies in countries including Italy, Mexico, Saudi Arabia, and South Korea.
Over the past ten years, various other Italian companies have come to light producing spyware, such as Cy4Gate, eSurv, GR Sistemi, Negg, Raxir, and RCS Lab.
Some of these companies have engaged in similar distribution practices as seen with the Spyrtacus spyware. Motherboard Italy uncovered in a 2018 investigation that the Italian justice ministry maintained a pricing list and catalog detailing how authorities could compel telecom operators to send deceptive text messages to surveillance targets, leading to the installation of malicious apps disguised as legitimate phone service maintenance.
For instance, regarding Cy4Gate, Motherboard discovered in 2021 that the firm had crafted imitation WhatsApp applications to lure their targets into installing spyware.
Numerous indicators suggest that SIO is the entity responsible for the spyware. Lookout identified that specific command-and-control servers utilized for remote malware control were linked to a company named ASIGINT, a subsidiary of SIO, as indicated in a publicly accessible 2024 document from SIO stating ASIGINT’s focus on software and services for wiretapping.
The Lawful Intercept Academy, an independent organization in Italy providing certification for spyware vendors operating in the nation, recognizes SIO as the certifying body for a spyware product known as SIOAGENT and designates ASIGINT as the product’s owner. Furthermore, a 2022 report from Intelligence Online noted that SIO had acquired ASIGINT.
The CEO of ASIGINT, Michele Fiorentino, operates from Caserta, near Naples, as per his LinkedIn profile. Fiorentino mentions involvement in the “Spyrtacus Project” during a stint at another company, DataForense, from February 2019 to February 2020, suggesting the company played a part in the spyware’s development.
Another command and control server identified with the malware is registered to DataForense, according to findings from Lookout.
DataForense and Fiorentino have not responded to TechCrunch’s requests for comments sent via email and LinkedIn.
Sources at Lookout and another unnamed cybersecurity firm noted that a segment of source code in one of the Spyrtacus samples suggests its developers might hail from the Naples area. The code includes a phrase, “Scetáteve guagliune ‘e malavita,” in Neapolitan dialect, roughly translating to “wake up boys of the underworld,” which is part of a traditional Neapolitan song called “Guapparia.”
This is not the first instance where Italian spyware developers have embedded their origins within the code of their products. For example, a now-defunct Calabria-based spyware manufacturer, eSurv, was found to have coded the word “mundizza” (Calabrian for trash) into their spyware, as well as references to the Calabrian footballer Gennaro Gattuso during its exposure in 2019.
Although these details may seem minor, all evidence points toward SIO as the architect of this spyware. However, lingering questions remain about the campaign, particularly regarding which governmental client orchestrated the deployment of Spyrtacus and against whom it was utilized.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
