WhatsApp has alerted 200 users who downloaded a counterfeit app created by the Italian spyware company SIO.

      WhatsApp has informed about 200 users, mainly located in Italy, that they were deceived into installing a fraudulent version of the messaging app, which was actually government spyware. This counterfeit application was created by SIO, an Italian surveillance technology firm that develops spyware for law enforcement and intelligence agencies through its subsidiary ASIGINT. WhatsApp reported that it proactively identified the impacted users, logged them out of their accounts, alerted them to the privacy dangers, and instructed them to remove the imitation app and install the official version from a reliable source. The company also mentioned to TechCrunch that it intends to send a formal legal request to SIO to cease any harmful activities related to this campaign.

      As first reported by the Italian newspaper La Repubblica and the news agency ANSA, this disclosure marks the second occasion within just over a year that WhatsApp has publicly named a spyware vendor targeting its users in Italy. Early in 2025, WhatsApp notified around 90 users, including journalists and pro-immigration advocates, that they had been attacked by Paragon Solutions, a surveillance company based in the U.S. and Israel, whose main product, Graphite, was used by Italy’s domestic and foreign intelligence agencies. This revelation led to a political crisis in Rome. Italy’s parliamentary intelligence oversight committee, COPASIR, confirmed that Graphite was utilized and found that seven Italians had been targeted. Following this, Paragon discontinued its relationship with Italy’s spy agencies after the government did not agree to verify whether the spyware had been directed against a particular journalist, Francesco Cancellato of the news site Fanpage.

      SIO’s spyware functions through a different approach. The malware, recognized in its code as Spyrtacus, is incorporated into fake apps that appear to be legitimate software. Researchers have discovered 13 different samples of Spyrtacus dating back to 2019, with the latest version from late 2024. Previous iterations mimicked Android apps from Italian mobile providers TIM, Vodafone, and WINDTRE, in addition to earlier counterfeit versions of WhatsApp itself. TechCrunch first uncovered SIO’s Android distribution campaign in February 2025. The current operation, aimed at iPhones, marks an extension of this method to Apple’s ecosystem. Once installed, Spyrtacus has the capability to access text messages, chat histories, and call logs, as well as record audio and video directly using the device’s microphone and camera.

      The delivery method is as telling as the malware itself. In Italy, authorities regularly seek the cooperation of mobile carriers, which send phishing links to their own customers on behalf of law enforcement. The targeted individual receives what seems to be a normal update notification from their provider, prompting them to install what resembles a standard WhatsApp update. The Italian justice ministry maintains a price list and catalog that outlines how authorities can compel telecom companies to send such messages, effectively transforming the mobile network into a distribution channel for state surveillance tools. The expense of renting spyware in Italy is strikingly low: by late 2022, law enforcement could access such tools for as little as €150 per day, without the substantial upfront costs typically associated with deployments in other countries.

      Italy’s status as a spyware hub is uncommon among Western democracies. Companies like Hacking Team, Cy4Gate, RCS Lab, and Raxir have all been based in Italy, attracted by a legal framework that offers a formal statutory basis for the “captatore informatico,” or computer interceptor, which effectively amounts to state-sanctioned trojan software. Fabio Pietrosanti, president of the Hermes Center for Transparency and Digital Human Rights, noted that spyware is deployed more frequently in Italy than in any other European country due to low costs and lenient regulations, making them accessible to a broader range of law enforcement agencies compared to neighboring nations. Consequently, municipal police forces can commission surveillance operations against individuals, rather than just national intelligence agencies.

      WhatsApp spokesperson Margarita Franklin informed TechCrunch that the company could not yet confirm if the 200 users affected included journalists or civil society members. “Our priority has been protecting users who may have been deceived into downloading this fake iOS app,” she stated. The company did not clarify whether it has presented the issue to Italian prosecutors or regulatory bodies. Neither Apple nor SIO responded to requests for comments.

      The legal landscape surrounding commercial spyware has changed significantly in the past year. In May 2025, a California jury ordered NSO Group, the Israeli developer of Pegasus, to pay WhatsApp $167 million in punitive damages after determining that it had facilitated hacks of approximately 1,400 users through zero-click attacks. A federal judge later reduced the amount to $4 million but imposed a permanent injunction preventing NSO from targeting WhatsApp’s infrastructure. NSO has appealed the ruling. WhatsApp’s parent company Meta described the decision as a landmark and has since broadened its legal approach against the larger surveillance sector. The formal legal demand WhatsApp intends to send