WhatsApp Notifies Users Targeted by Italian Surveillance Firm ASIGINT

WhatsApp notified approximately 200 users, the majority of them in Italy, that they had been tricked into installing a counterfeit version of the messaging application containing government spyware, the Meta Platforms-owned service announced on April 1. The fake application was built by ASIGINT, a subsidiary of the northern Italian surveillance company SIO Spa, headquartered in Cantù. WhatsApp said its security team proactively identified the affected users, logged them out of their accounts, and sent alert notifications urging them to uninstall the malicious client and download the official app from a trusted source. The company also announced it would send a formal cease-and-desist notice to ASIGINT and SIO, demanding they halt all harmful activity linked to the campaign. WhatsApp emphasized that the incident did not involve a vulnerability in its platform and that end-to-end encryption on official clients remained intact throughout.

Spyware embedded in fake app since at least 2019 The malicious software is identified in its own code as Spyrtacus, a name that appears directly in the program's source code. Researchers have found 13 different samples of Spyrtacus dating back to 2019, with the most recent sample from late 2024, according to The Next Web. Previous versions of the malware impersonated Android applications from Italian mobile providers TIM, Vodafone, and WINDTRE, as well as earlier fake versions of WhatsApp. The latest operation targeted iPhones, representing an expansion of the tactic into Apple's ecosystem. Once installed, Spyrtacus can steal text messages, chat histories, and call logs, and can record audio and video directly from a device's microphone and camera. The distribution did not occur through official channels such as the Google Play Store or the Apple App Store, but through unspecified third-party sources and direct links, according to reporting by La Repubblica cited in multiple outlets. SIO's website describes the company as a provider of solutions for law enforcement agencies, government organizations, police, and intelligence agencies.

Italy has faced repeated scrutiny over the use of commercial spyware by state authorities. In early 2025, WhatsApp alerted around 90 users — including journalists and pro-immigration activists — that they had been targeted by Paragon Solutions, a U.S.-Israeli surveillance firm whose flagship product, Graphite, was deployed by Italy's domestic and foreign intelligence services. That disclosure triggered a political crisis in Rome. Italy's parliamentary intelligence oversight committee, known as COPASIR, confirmed the use of Graphite and found that seven Italians had been targeted. Paragon subsequently cut ties with Italy's spy agencies after the Italian government declined to verify whether the spyware had been used against a specific journalist, Francesco Cancellato of the news site Fanpage.

Social engineering turned mobile carriers into delivery vectors The delivery mechanism relied on psychological manipulation rather than technical exploitation of WhatsApp itself. In Italy, authorities routinely obtain cooperation from mobile carriers, who send phishing links to their own customers on behalf of law enforcement, according to The Next Web. A target would receive what appeared to be a routine update notification from their provider, directing them to install what looked like a standard WhatsApp update. WhatsApp described the campaign as a "highly targeted social engineering attempt, aimed at a limited number of users with the objective of inducing them to install harmful software that imitated WhatsApp." Users who received the alert notification were instructed to verify they were running an unofficial version of the client and to reinstall the legitimate application. According to reporting by La Razón citing TechCrunch, affected users received the alert as a large-format in-app notification. WhatsApp spokesperson Margarita Franklin told TechCrunch the company could not at that stage provide further details about the notified users, such as whether they were journalists or members of civil society.

200 (users) — approximate number notified of fake WhatsApp spyware installation

Italian spyware incidents involving WhatsApp: — ; — ; — ; —

Expert sees targeted investigation, not mass surveillance Pierluigi Paganini, a professor of cybersecurity at Luiss Guido Carli University, told ANSA that the incident bore the hallmarks of a targeted operation rather than an indiscriminate attack. „The Italian company SIO has already been linked in the past to the development of the Android spyware Spyrtacus, distributed through malicious apps that imitate WhatsApp and telephone operator services. The malware that emerged in 2025 allowed advanced surveillance activities, including access to messages, contacts, calls, and the microphone.” — Pierluigi Paganini via ANSA Paganini added that the company's involvement made it plausible that the campaign was part of targeted investigations rather than broad, indiscriminate attacks. Italy's interior ministry referred questions about the case to police, who did not immediately respond to requests for comment, according to Reuters. SIO itself did not return messages seeking comment. The April 1 disclosure marks the second time in approximately 15 months that Meta has publicly named a spyware vendor operating against WhatsApp users in Italy, underscoring the country's position as a focal point for commercial surveillance technology controversies.