TL;DR: WhatsApp caught an Italian spyware firm red-handed. SIO, through its subsidiary Asigint, built a fake version of WhatsApp for iOS, loaded with spyware called Spyrtacus, and tricked roughly 200 people into installing it. Most targets were in Italy. The malware could read messages, steal contacts, record through the microphone and camera, and track location. WhatsApp logged out all affected users and is pursuing legal action against Asigint. This isn’t SIO’s first time: researchers found 13 Android variants of Spyrtacus dating back to 2019, disguised as everything from WhatsApp to Italian telecom apps. Italy has quietly become Europe’s biggest spyware hub, where cops can rent government trojans for €150 a day.
A Fake WhatsApp, Built by a Government Spyware Firm
On April 1, WhatsApp disclosed that approximately 200 users had been tricked into installing a counterfeit version of its iOS app. The fake app looked like WhatsApp. It worked like WhatsApp. But underneath, it was Spyrtacus, a surveillance tool built by Asigint, an Italian subsidiary of spyware vendor SIO S.p.A.[1][2]
The targets didn’t find this app on the App Store. The attackers used social engineering: convincing messages that directed victims to download the malicious version from outside Apple’s ecosystem. Once installed, Spyrtacus went to work.
What it could access:
- Text messages and chat histories from WhatsApp and other apps
- Contact lists and call logs
- Audio recording through the device microphone
- Camera access for photos and video
- Real-time location tracking
The vast majority of victims were in Italy. WhatsApp logged out all compromised accounts, told users to delete the malicious app, and directed them to install the real version.[1]
Who Is SIO? Italy’s Quiet Surveillance Contractor
SIO S.p.A., based in Cantù in northern Italy’s Lombardy region, markets itself as a provider of surveillance solutions to “law enforcement agencies, government organizations, and police and intelligence agencies.” Its subsidiary Asigint handles the spyware development.[3]
SIO isn’t some garage startup. The company has operated in Italy’s intelligence sector for over 30 years. Administrative records from the Siracusa prosecutor’s office reference “Spyrtacus” in procurement contexts for lawful interception: government-speak for state-sanctioned hacking.[4]
This fake WhatsApp wasn’t their first operation. Researchers identified at least 13 different Android variants of Spyrtacus dating back to 2019. Previous versions impersonated apps from Italian mobile providers TIM, Vodafone, and WINDTRE, as well as earlier fake versions of WhatsApp itself.[4][5]
The distribution chain is what makes this particularly disturbing. Italian telecoms participate in the delivery: sending phishing messages to their own subscribers at the state’s request. Your mobile carrier becomes the instrument of your surveillance.[4]
€150 a Day: Why Italy Is Europe’s Spyware Capital
Italy isn’t just home to one spyware firm. It’s home to at least eight: SIO/Asigint, Cy4Gate, RCS Lab, Negg, Raxir, GR Sistemi, AREA, and Memento Labs (the rebranded remnants of Hacking Team, the firm whose 2015 hack exposed global surveillance abuse).[6]
Italy ranks among the world’s top three spyware hubs alongside Israel and India. It has the longest-running continuous spyware ecosystem studied across 42 countries.[6]
Why? The legal framework. Italy formally authorizes the “captatore informatico,” a computer interceptor, essentially state-sanctioned trojan software. The country’s highest court ruled that authorities can deploy spyware with the same authorization needed to plant a physical microphone bug.[6]
And the price makes it accessible to practically any police department. As of December 2022, Italian law enforcement could rent spyware for €150 a day, regardless of vendor, without large upfront costs. That’s the price of a nice dinner in Milan, except the meal is total surveillance of someone’s digital life.[6]
According to journalist Riccardo Coluccini, “thousands of spyware operations have been carried out by Italian authorities in recent years.”[6]
A reform bill that took effect in February 2025 now requires investigating judges to provide “independent evaluation” before spyware deployment. But the fundamental structure (cheap, legal, and available to any prosecutor’s office in the country) remains intact.
Italy’s Growing Spyware Problem: A Pattern
This isn’t an isolated incident. It’s part of a pattern that keeps getting uglier:
- January 2025: WhatsApp alerted around 90 users, including journalists and pro-immigration activists, that they’d been targeted by Paragon Solutions’ Graphite spyware, deployed by Italy’s domestic and foreign intelligence services.[7]
- December 2025: Researchers first publicly documented SIO’s Spyrtacus campaign, identifying malicious Android apps impersonating WhatsApp and Italian telecom providers.[5]
- April 2026: WhatsApp catches SIO/Asigint running the same playbook on iOS, affecting 200 more people.[1]
Two separate Italian-connected spyware campaigns targeting WhatsApp users in 15 months. Different firms, same country, same victims: people the Italian state wants to watch.
And those are just the ones WhatsApp detected. The spyware industry’s business model depends on staying invisible. For every campaign that gets caught, there are others that don’t.
WhatsApp’s Response: Legal Action Coming
WhatsApp isn’t just sending warnings. The company announced it will issue a formal legal demand to Asigint to cease all malicious operations, referencing “precedent-setting accountability measures against commercial spyware firms.”[1][2]
That’s not empty talk. In December 2024, a U.S. federal jury found NSO Group liable for hacking 1,400 WhatsApp users with its Pegasus spyware, a landmark verdict that established commercial spyware vendors can be sued for their products’ abuse. WhatsApp is clearly building on that precedent.[8]
But legal action takes years. SIO has been running Spyrtacus operations since at least 2019. Seven years of documented activity. The legal system moves in months and years. Spyware campaigns move in days.
How to Protect Yourself
Only Install Apps from Official Stores
Spyrtacus relied on convincing users to install WhatsApp from outside the App Store. Never install messaging apps from links in text messages, emails, or websites, even if they look official. Always use Apple’s App Store or Google Play.
Enable Lockdown Mode on iPhone
Apple’s Lockdown Mode (Settings > Privacy & Security > Lockdown Mode) blocks most spyware delivery vectors. It limits some features but dramatically hardens your device against sophisticated attacks.
Watch for Carrier-Sent Links
Italian telecoms helped deliver Spyrtacus by sending phishing messages to their own subscribers. If your carrier sends you a message asking you to “update” or “reinstall” an app, don’t click. Go to the app store directly.
Check Your WhatsApp Installation
On iPhone: Settings > General > VPN & Device Management. Look for any profiles you didn’t install. If you see something unfamiliar, delete it and reinstall WhatsApp from the App Store.
The Bigger Picture
Italy has built the cheapest, most accessible government spyware ecosystem in Europe. Any prosecutor’s office can rent a trojan for the price of a parking ticket. The reform law requires judicial review, but the infrastructure (eight spyware firms, complicit telecoms, a permissive legal framework) churns on.
WhatsApp caught this one. They caught the Paragon campaign before it. But each discovery raises the same question: how many campaigns didn’t get caught?
The commercial spyware industry isn’t going away. It’s getting cheaper, more accessible, and harder to detect. Italy is proof that you don’t need to be an authoritarian regime to build a surveillance machine. You just need a legal framework that treats hacking like wiretapping and a price point that treats privacy like a budget line item.
€150 a day. That’s what your digital privacy costs to break.
References
- TechCrunch: WhatsApp Notifies Hundreds of Users Who Installed a Fake App That Was Actually Government Spyware (April 1, 2026)
- The Hacker News: WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action (April 2, 2026)
- Security Affairs: Italian Spyware Vendor Creates Fake WhatsApp App, Targeting 200 Users (April 2, 2026)
- Andrea Fortuna: Spyrtacus and the Fake WhatsApp Client Behind a Hidden Surveillance Campaign (April 2, 2026)
- Silicon Canals: Italian Surveillance Firm SIO Built Fake WhatsApp App with Government Spyware, Meta Says (April 2026)
- The Record: How Italy Became an Unexpected Spyware Hub (Recorded Future News)
- Citizen Lab: Virtue or Vice? A First Look at Paragon's Proliferating Spyware Operations (March 2025)
- The Guardian: NSO Group Found Liable for Hacking WhatsApp Users with Pegasus Spyware (December 2024)
Published: April 4, 2026