WhatsApp Identifies 200 Users Infected by Italian-Made Spyware

The delivery mechanism was deceptively simple: a phishing link, often sent through a target's own cellphone provider, directing them to install what looked like a standard WhatsApp update for their iPhone. It was not. WhatsApp accused Italian spyware maker SIO of creating a fake version of its messaging app for iPhones. The company identified around 200 users who were tricked into installing the malicious counterfeit.

SIO develops its government spyware through its subsidiary ASIGINT. ASIGINT's command-and-control servers, used for remotely controlling the malware, were registered to the company, a subsidiary of SIO SpA. A publicly available SIO document from 2024 says ASIGINT develops software and services related to computer wiretapping. The firm is based in Cantù, in the Lombardy region of northern Italy, and counts law enforcement, government bodies, and intelligence agencies among its customers.

The spyware embedded in the fake app is known as Spyrtacus, a name drawn from a word that appeared in the spyware's own code. WhatsApp said it has already logged out all affected accounts and plans to send a formal cease-and-desist letter to SIO and ASIGINT. "Our security team proactively identified around 200 users primarily in Italy who we believe may have downloaded this malicious unofficial client," WhatsApp said. "We have logged them out, alerted to the risks to their privacy and security that come with downloading fake unofficial clients, and encouraged them to remove it and download the official WhatsApp app."

Who exactly those 200 users are remains undisclosed. WhatsApp spokesperson Margarita Franklin said that, at this point, the company cannot share more information about the users it notified, such as whether they were journalists or members of civil society. That silence is pointed. WhatsApp's latest announcement comes a year after the company alerted around 90 users that they had been targeted with spyware made by Paragon Solutions, notifications it sent to journalists and pro-immigration activists, among others, sparking a wide-ranging scandal across Italy. In response, Paragon cut ties with Italy's spy agencies, which were its customers.

SIO was previously linked to a series of malicious Android apps containing its spyware, including fake versions of WhatsApp and fake customer support tools for cellphone providers. Using fake apps against surveillance targets is a well-established tactic used by Italian authorities, who often enlist cellphone providers to send phishing links to their customers on behalf of law enforcement. Anyone who received such a message and followed a link to install an update outside of Apple's App Store or the Google Play Store should immediately delete the application, restore from a clean backup, and treat any data on the device during the infection window as potentially compromised.

Apple and SIO did not respond to requests for comment. That silence, combined with WhatsApp's refusal to specify how the fake app was distributed or what indicators of compromise look like, leaves users with no concrete way to confirm exposure. The consecutive Italian spyware episodes, one government-bought Israeli tool and now a domestically made iPhone implant, raise a question that neither Meta nor Italian authorities have addressed: whether the app-store ecosystem's trusted distribution model has become the single most exploitable assumption in mobile security.