Deep Dive: The Mechanics and Context of the Morpheus Spyware
A recent report from Osservatorio Nessuno not only identifies a new player in the surveillance industry, but also exposes a disturbing collaboration between state infrastructure and telecommunications operators.
- Social Engineering via Infrastructure Control
What makes this campaign unique is not the complexity of the code, but the method of infection. By collaborating with the target’s mobile service provider (ISP), the attackers create an artificial “technical problem” (data outage). This forces the victim to look for a solution, making the installation of the fake app seem like a legitimate and necessary action.
- Exploiting Android’s Accessibility Services
Once installed, Morpheus asks for permission for “Accessibility Services.” This is a Trojan horse for Android:
Screen Scraping: The spyware can read any message, even in encrypted apps like Signal or Telegram, by capturing text directly from the screen.
Keylogging: Records every keystroke on the keyboard, stealing passwords and banking credentials.
Automated Interaction: Can click buttons or accept permissions on behalf of the user without being noticed.
- The “Biometric Bypass” for WhatsApp
The method used to compromise WhatsApp shows a high level of hacking psychology. By disguising the biometric authentication request as a “security check” within the app, the spyware actually authorizes the WhatsApp Web/Linked Devices feature. This allows attackers to mirror all conversations on another device in real time, without having to break the end-to-end encryption.
- Italy’s Booming Surveillance Market
Italy has become a global hub for the development of offensive security software. After the fall of Hacking Team in 2015, the market fragmented into many smaller companies such as IPS, SIO, and CY4GATE. These firms often operate in legal “gray areas,” where tools designed to fight organized crime and terrorism end up being used against activists and journalists.
- Technical Footprints (The “Italian Signature”)
The researchers found references in the code to “Gomorrah” and “Spaghetti.” This is not just a curious detail, but an indication of the lack of care (OPSEC) on the part of the IPS developers, which allowed the researchers to connect the server infrastructure directly to their offices in Italy.
This discovery underscores the need for Android users to be skeptical of system updates that arrive via links in SMS, regardless of whether they appear to come from their official carrier. No legitimate carrier requires the installation of a manual APK to enable mobile data.
