A counterfeit Android update is being used as a delivery method for Morpheus spyware, creating a path that can go beyond device monitoring and end with access to WhatsApp accounts. The scheme begins with a simple-looking SMS and a sudden loss of mobile data, but the end goal is far more invasive than a routine software upgrade.
The threat was identified by Osservatorio Nessuno, a digital rights group in Italy, and was previously highlighted by TechCrunch. Their findings suggest the operation is not random, but carefully staged through social engineering and, according to the researchers, may even involve active support from the victim’s mobile carrier.
How the attack starts
The first sign is not a technical exploit, but an interruption to the target’s mobile connectivity. In the scenario described by researchers, the victim’s data service is deliberately cut off by a telecom provider working with the authorities behind the operation.
After that, the victim receives an SMS telling them to install an app to restore connectivity and update the phone. The message appears ordinary enough to lower suspicion, yet the download is actually a malicious APK file rather than a legitimate Android update.
This approach makes Morpheus a lower-cost spyware tool compared with zero-click operations such as Pegasus from NSO Group or tools associated with Paragon Solutions. Instead of breaking into the phone silently, it relies on the victim to install the malware manually.
Why the malware is dangerous
Once installed, Morpheus uses Android accessibility permissions to read what is on the screen and interact with other apps on the device. That access gives the spyware broad control over what the user sees and does, which makes the fake update process more convincing and harder to notice.
The malware then presents a fake system update screen and later prompts a reboot. These steps are meant to make the malicious activity look like part of a normal device maintenance process rather than an intrusion.
After the phone restarts, Morpheus imitates the WhatsApp interface and asks for biometric verification. Researchers say that a single biometric tap can unknowingly authorize the spyware to add a new device to the victim’s WhatsApp account.
That is the step that turns a fake update into a full account compromise. With that access, Morpheus can obtain messages and contacts, showing how a social engineering trick can replace a more sophisticated technical break-in.
Signs linking the campaign to Italy
Osservatorio Nessuno also found Italian-language code fragments and cultural references embedded in the malware. Researchers said those clues match patterns seen in earlier spyware campaigns tied to Italy.
The report links Morpheus to IPS, an Italian company said to have more than 30 years of experience in lawful interception technology for law enforcement and intelligence agencies. IPS is also reported to operate in more than 20 countries and to list several Italian police forces among its clients.
The researchers believe Morpheus has been used to target political activists, although the identities of the victims were not disclosed. The case adds to a growing list of Italian surveillance vendors that have already been exposed, including CY4GATE, eSurv, RCS Lab, and SIO.
A related example surfaced when WhatsApp notified 200 users in April 2026 that they had installed a fake version of the app carrying spyware linked to SIO. That broader pattern has intensified concern about fake applications being used in surveillance campaigns aimed at private devices.
What Android users should watch for
Morpheus does not spread through Google Play Store and cannot install itself silently. The attack only works if the victim manually downloads and installs an APK from outside the official app store.
That means an unexpected SMS urging a phone update should be treated with caution, especially if it arrives at the same time as a sudden loss of mobile data. Researchers also stressed that Android accessibility permissions are powerful and should not be granted to apps delivered through text-message links.
When a phone suddenly loses data service and then displays a message pushing an app install to restore connectivity, that combination should be seen as a warning sign. In this kind of campaign, the apparent update is not a technical fix but the entry point for spyware that can end with control over WhatsApp.
Source: www.notebookcheck.net