Key Findings

• WhatsApp alerted approximately 200 users, primarily in Italy, who were tricked into installing a counterfeit iOS app containing spyware

• The fake app was created by Asigint, an Italian subsidiary of spyware company SIO Spa

• All affected users have been logged out and advised to uninstall the malicious app and download the official version

• WhatsApp is pursuing legal action against Asigint to stop further malicious activity

• The attack relied on social engineering tactics rather than exploiting vulnerabilities in WhatsApp itself

Background

SIO and its subsidiary Asigint operate as government-grade spyware developers, marketing their surveillance tools to law enforcement, government organizations, and intelligence agencies. The company has over 30 years of experience in the sector and is one of several Italian firms contributing to Italy's reputation as a "spyware hub." This incident is not the first time SIO has been implicated in malicious activity targeting WhatsApp users.

The Attack Method

Threat actors used social engineering to deceive users into downloading the counterfeit app rather than exploiting technical vulnerabilities. The fake version was not available through official app stores like the Apple App Store or Google Play, indicating a highly targeted campaign aimed at specific individuals rather than mass distribution. Once installed, the spyware would have given attackers access to users' devices and their sensitive data.

SIO's History of Malicious Activity

In December 2025, TechCrunch revealed that SIO was behind a series of malicious Android apps disguised as WhatsApp and other popular applications. The spyware family, called Spyrtacus, could extract private data including messages, contact lists, and call logs, while also enabling microphone and camera surveillance. These apps were believed to have been used by a government customer to target victims in Italy.

WhatsApp's Response and Legal Action

WhatsApp emphasized that the incident did not involve a vulnerability in its platform and that end-to-end encryption remains intact for official users. The company plans to issue a formal legal notice demanding that Asigint cease all malicious activity. WhatsApp has previously established a precedent by holding a commercial spyware firm legally accountable under U.S. law for attempting to spy on users.

Broader Context of European Surveillance

This incident reflects a wider pattern of surveillance tool misuse across Europe. In Greece, the 2022 Predatorgate scandal involved the illegal use of Predator spyware to target politicians, business leaders, and journalists. More recently, a Greek court sentenced Tal Dilian, founder of the Intellexa Consortium, and three associates to prison for their roles in the scheme. Spain has also faced similar issues, with investigations into NSO Group's Pegasus spyware being used to monitor Spanish government officials, though a 2026 High Court closure of that probe cited lack of cooperation from Israeli authorities.

Industry Claims vs. Reality

Companies like NSO Group and Intellexa maintain that their surveillance technology is only licensed to governments for combating serious crimes and bolstering national security. However, recurring incidents demonstrate that these tools are frequently misused against private citizens and political figures. The legal landscape remains contested, with some European countries formalizing government surveillance under strict conditions while victims and human rights organizations continue to demand greater transparency and accountability.

Sources

• https://thehackernews.com/2026/04/whatsapp-alerts-200-users-after-fake.html

• https://securityaffairs.com/190276/malware/italian-spyware-vendor-creates-fake-whatsapp-app-targeting-200-users.html

• https://www.techinasia.com/news/whatsapp-warns-users-fake-app-linked-govt-spyware-maker