Full Report
Italian company SIO, which sells to government customers, is behind an Android spyware campaign called Spyrtacus that spoofed popular apps like WhatsApp, per security researchers. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Threat Actor: Spyrtacus Developers (Attributed to SIO Spa)
## Attribution & Identity
The threat actor is strongly associated with **SIO Spa**, an Italian spyware manufacturer that supplies products to government customers, including Italian law enforcement and intelligence agencies. The spyware is named **Spyrtacus**. Evidence pointing to SIO includes:
* Multiple malware samples analyzed by Lookout and another firm were confirmed to be made by SIO.
* The distribution websites and app content were primarily in Italian, suggesting use by Italian agencies.
* Source code contains a phrase in Neapolitan dialect ("Scetáteve guagliune ‘e malavita"), indicating an origin in the Naples region, consistent with SIO's operational context.
The activity may also involve **ASIGINT** (acquired by SIO), whose CEO, Michele Fiorentino, claimed involvement in the "Spyrtacus Project" while previously employed at **DataForense**, which is also associated with a C2 server for the spyware.
## Activity Summary
The activity revolves around the distribution and use of the **Spyrtacus** spyware via specifically crafted, malicious Android applications.
* **Historical Range:** Malware samples analyzed date from 2019 (oldest) up to October 17, 2024 (most recent). Other samples were found between 2020 and 2022.
* **Distribution Changes:** Kaspersky indicated that initial distribution involved Google Play apps (starting around 2018), but by 2019, the threat actors switched to hosting apps on malicious web pages designed to impersonate Italian internet providers.
* **Campaign Nature:** Google characterized the campaign using these apps as "highly targeted."
* **Context:** This activity is occurring while Italy is involved in a separate, high-profile scandal regarding the use of sophisticated spyware made by the Israeli company Paragon.
## Tactics, Techniques & Procedures
The primary technique involves social engineering through malicious mobile application distribution.
* **Infection Vector:** Developing and distributing malicious Android apps that impersonate legitimate, popular applications.
* **Impersonation Targets:** Apps pretended to be WhatsApp, general customer support tools provided by cellphone providers (specifically TIM, Vodafone, and WINDTRE), and possibly other popular apps.
* **Data Exfiltration Capabilities:**
* Stealing text messages.
* Stealing Signal and WhatsApp chats.
* Exfiltrating contact information.
* Recording ambient audio via the device microphone.
* Capturing imagery via the device cameras.
* Recording phone calls.
## Targeting
* **Sectors:** Law Enforcement/Government (as customers), and potentially targets of government surveillance operations. Specific sectors targeted by the spyware itself are **unclear** based on the victims of the shared samples.
* **Geography:** Italy implied due to language usage and likely government customers.
* **Victims:** Unspecified for the SIO/Lookout samples. The article notes this activity contrasts with the Paragon scandal where NGO founders helping immigrants were targeted.
## Tools & Infrastructure
* **Malware Families Used:** **Spyrtacus** (Android spyware). Kaspersky also reported finding a **Windows version**, with signs pointing to potential iOS and macOS versions.
* **Infrastructure (C2, domains, IPs):**
* Distribution occurred via malicious web pages disguised as top Italian internet providers.
* A Command and Control server was associated with **DataForense**.
## Implications
This discovery highlights the breadth of the commercial government spyware market and confirms the capabilities of Italian domestic spyware manufacturers. The overlap between SIO's documented link to the Italian government and the operational use of Spyrtacus suggests a vector for potentially unauthorized or targeted surveillance within Italy or abroad by Italian agencies. The existence of multiple platform versions (Windows, potential iOS/macOS) indicates a comprehensive surveillance toolkit, not limited to Android devices.
## Mitigations
* **Mobile Device Security:** Exercise caution when sideloading applications, particularly those masquerading as popular communication tools or carrier support apps.
* **Platform Protection:** Android enables protection against this specific malware family since 2022 (according to Google). Ensure all devices are running up-to-date operating systems.
* **Source Verification:** Users and organizations should be wary of apps distributed outside of official app stores, especially those referencing known domestic mobile carriers.