WhatsApp has alerted 200 users who downloaded a counterfeit app created by the Italian spyware developer SIO.

      WhatsApp has informed around 200 users, mainly in Italy, that they were deceived into downloading a counterfeit version of the messaging app, which turned out to be government spyware. The fraudulent application was created by SIO, an Italian company specializing in surveillance technology that produces spyware for law enforcement and intelligence agencies through its subsidiary ASIGINT. WhatsApp stated that it proactively identified the affected users, logged them out of their accounts, alerted them to the privacy risks, and recommended they delete the fake version and install the official app from a verified source. Additionally, the company indicated to TechCrunch its intention to send a formal legal request to SIO to cease any harmful activities related to the campaign.

      This disclosure, initially reported by the Italian newspaper La Repubblica and the news agency ANSA, marks the second instance in just over a year that WhatsApp has publicly identified a spyware vendor targeting its users in Italy. In early 2025, WhatsApp alerted around 90 users, including journalists and pro-immigration advocates, that they had been targeted by Paragon Solutions, a U.S.-Israeli surveillance firm whose primary product, Graphite, had been utilized by Italy’s domestic and foreign intelligence agencies. This revelation ignited a political crisis in Rome, with Italy’s parliamentary intelligence oversight committee, COPASIR, confirming the use of Graphite and discovering that seven Italians had been targeted. Following this, Paragon severed ties with Italy’s spy agencies after the government refused to confirm whether the spyware had been used against specific journalist Francesco Cancellato of the news site Fanpage.

      SIO’s spyware operates on a different model. The malware, identified in its own code as Spyrtacus, is integrated into counterfeit applications that mimic legitimate software. Researchers have discovered 13 different samples of Spyrtacus dating back to 2019, with the latest identified in late 2024. Previous versions impersonated Android apps from Italian mobile providers like TIM, Vodafone, and WINDTRE, as well as earlier fake versions of WhatsApp itself. TechCrunch first uncovered SIO’s Android distribution campaign in February 2025. The most recent operation, which targets iPhones, signifies an extension of this tactic into Apple’s ecosystem. Once installed, Spyrtacus can capture text messages, chat histories, and call logs, and can also record audio and video through the device’s microphone and camera.

      The method of delivery is as notable as the malware itself. In Italy, authorities frequently collaborate with mobile carriers, which send phishing links to customers on behalf of law enforcement. The targets receive what appears to be a routine update notification from their provider, prompting them to install what looks like an ordinary WhatsApp update. The Italian justice ministry maintains a pricing structure and catalog that outlines how authorities can compel telecom companies to send these messages, effectively transforming the mobile network into a distribution channel for state surveillance tools. The cost of using spyware in Italy is remarkably low: as of late 2022, law enforcement could access these tools for as little as €150 per day, without the substantial upfront costs that typically hamper deployment in other countries.

      Italy's status as a hub for spyware is atypical among Western democracies. Companies such as Hacking Team, Cy4Gate, RCS Lab, and Raxir have all been based there, attracted by a legal framework that provides a formal statutory basis for the “captatore informatico,” or computer interceptor, which effectively allows state-sanctioned trojan software. Fabio Pietrosanti, president of the Hermes Center for Transparency and Digital Human Rights, stated that malware is deployed more frequently in Italy than anywhere else in Europe due to the low cost and relaxed regulations, making it accessible to a broader range of law enforcement agencies than in neighboring countries. Consequently, municipal police forces, rather than just national intelligence agencies, can commission surveillance operations against individuals.

      WhatsApp spokesperson Margarita Franklin informed TechCrunch that the company could not confirm whether the 200 impacted users included journalists or civil society members. “Our priority has been protecting the users who may have been tricked into downloading this fake iOS app,” she noted. The company did not clarify whether it had referred the issue to Italian prosecutors or any regulatory authority. There was no response from Apple or SIO to requests for comments.

      The legal landscape surrounding commercial spyware has changed significantly in the past year. In May 2025, a California jury ordered NSO Group, the Israeli producer of Pegasus, to pay WhatsApp $167 million in punitive damages after determining it enabled hacks of approximately 1,400 users through zero-click attacks. A federal judge later reduced the award to $4 million but imposed a permanent injunction preventing NSO from targeting WhatsApp’s infrastructure. NSO has since appealed. WhatsApp’s parent company Meta described the verdict as a landmark event and has broadened its legal strategy against the larger surveillance industry. WhatsApp’s planned formal legal demand to SIO follows a similar approach: utilizing litigation