Mobile spy as a bargain: Italy's booming spyware shadow industry

When state surveillance software is mentioned, names such as Pegasus, Predator or Paragon (Graphite) usually fall. These highly developed tools cost millions and use unknown vulnerabilities in the form of zero-day exploits to infect smartphones completely without affecting those affected. But these high-end products form only the tip of the iceberg. Aside from the spotlight, a parallel, much cheaper market has established itself in Europe.

An investigation of the NGO Osservatorio Nessuno and the umbrella association European Digital Rights (EDRi) highlights the shadow world of the low-cost spyware in Italy. There are dozens of smaller surveillance companies that develop tailored Trojans for investigative authorities. IrpiMedia media network research shows that Italian prosecutors sometimes pay only a few dozen euros per day of surveillance. In this low price segment, expensive vulnerabilities are not necessary. Instead, the providers rely on psychological tricks and social engineering to captivate target devices.

A real scenario illustrates the approach of this favorable spies. Suddenly the target person loses the mobile radio reception. Immediately afterwards, an SMS arrives, which appears from the mobile phone provider. It urges the user to install an allegedly urgent update to restore the service. The attached link leads to a real phishing page on behalf of the provider. There, the victim is tempted to download a manipulated Android application file (APK), which is a prepared copy of the regular app.

Video by heise

Once the installation is complete, the program starts with the data espionage. In order for the deception to work, the guards resort to the help of the Internet providers. On request from judiciary or criminal prosecutors, the providers are specifically strangling the connection of the person concerned in order to make the pretext of the SMS appear credible. Once active on the phone, these applications abuse the Android freedom services, link unnoticed WhatsApp sessions with external devices, disable local antivirus programs and suppress standard warnings that display access to microphone or camera.

Cheap malicious programs in continuous use

Osservatorio Nessuno has illuminated two previously barely known products. The Morpheus malware, which is associated with the company IPS Intelligence, lists victims specifically when using WhatsApp. It dazzles a fake biometric query. This is precisely about the original call for device linking, allowing attackers to access the chat account.

The state trojan Spyrtacus acts similarly, which the company SIO develops and sells. By misuse of operating aids, this screenshot is created, cuts voice calls and exports chat procedures. According to the report, the tool has been in continuous use for years and is regularly updated by updates. In order to maintain the infrastructure and to be able to distribute the spying software undetected, suppliers systematically use fake and letterbox companies. Some of these constructs are used to insert the malicious apps as legitimate applications in the official Google Play Store.

This flourishing industry is driven by the high state demand in Italy. Statistics from the Ministry of Justice prove that prosecutors only authorized around 5200 Trojan infections in 2024. This volume far exceeds the numbers of other EU countries and has allowed digital endpoints to be compromised into a routine method of determination.

After a discovery, it is impossible for interested parties, lawyers or independent IT researchers to find out which company provided the software, which authority it used and whether a valid decision existed at all.

fundamental rights undermined, EU in duty

This system requires more and more data. Criminal persecutors demand massive infections at the smallest price, which leads to a normalization of unlimited access to privacy. Whether the intrusion takes place via highly developed zero-click wigs, manipulative deception or physical installation, as is done with stalkerware, makes no difference for the victim. Each spyware breaks the confidentiality of digital devices and extracts photos, passwords, locations and private messages.

EDRi must bear in mind that such instruments are incompatible with EU basic rights and the principles of proportionality and necessity. The responsibility for uncontrolled dissemination is also at the EU Commission, whose inactivity favours the market. Development and trade in Europe are hardly regulated; internal market rules allowed cross-border distribution. The EU thus acts as a global hub for surveillance technology that contributes to human rights violations worldwide.

A growing coalition of civil society and journalists’ associations calls for a complete EU-wide ban on commercial spyware. There is also a need for strict transparency requirements for the Member States.

(no)