An Italian surveillance technology company called IPS has been identified as the maker of a previously unknown Android spyware, after researchers caught its customers using fake phone-update apps to install the malware on targets’ devices. The findings were published on Thursday, April 24, 2026, by Osservatorio Nessuno, an Italian digital rights organization that researches spyware.
The spyware, which researchers named Morpheus, disguised itself as a phone-update application. Targets were tricked into installing it after their mobile carrier deliberately blocked their cellular data and sent an SMS directing them to install what appeared to be a legitimate update app. Once installed, Morpheus exploited Android’s built-in accessibility features to read on-screen data and interact with other apps. It then displayed a fake reboot screen and spoofed the WhatsApp interface, prompting the target to provide biometrics — a tap that unknowingly granted the spyware full access to their WhatsApp account by adding a new device to it.
Osservatorio Nessuno researchers Davide and Giulio attributed the spyware to IPS based on its infrastructure. One IP address used in the campaign was registered to “IPS Intelligence Public Security,” and code fragments within the malware contained Italian-language references, including words tied to Gomorra — the book and TV series about the Neapolitan mob — and “spaghetti.” A researcher at a separate cybersecurity firm, who reviewed the report, confirmed the malware was developed by an Italian surveillance technology maker.
IPS is an Italian company with more than 30 years of experience in lawful interception technology — tools used by governments to capture real-time communications flowing through phone and internet provider networks. According to its website, the company operates in more than 20 countries and lists several Italian police forces among its customers. IPS did not respond to a request for comment. The researchers said they believe the attack is “related to political activism” in Italy, a context where “this type of targeted attacks are very common nowadays.”
Researchers described Morpheus as “low cost” spyware because it relies on deceiving targets into installing it themselves, rather than using zero-click exploits — the stealthy, vulnerability-based infection methods employed by higher-profile vendors such as NSO Group and Paragon Solutions.
IPS is the latest in a series of Italian spyware makers to be publicly exposed, following CY4GATE, eSurv, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and most recently SIO. Earlier in April 2026, WhatsApp notified around 200 users who had installed a fake version of its app that was actually spyware made by SIO. The pattern suggests the Italian surveillance technology sector has expanded significantly since the collapse of Hacking Team, one of the earliest spyware makers in the world, which was hacked and later sold and rebranded.
Source: TechCrunch