Fake Android update app installs Morpheus spyware and steals WhatsApp access

A newly exposed spyware operation is using fake Android update apps to plant surveillance software on targets' devices, with the infection chain requiring active cooperation from the victim's own mobile network provider. 

The spyware, named Morpheus by researchers, was uncovered by Italian digital rights organization Osservatorio Nessuno in a report published April 24 and first reported by TechCrunch.

How the infection works

Morpheus is classified as low-cost spyware because it relies on social engineering rather than the zero-click exploits used by more advanced tools like NSO Group's Pegasus or Paragon Solutions. The attack requires the target to install the malicious app themselves, but the method used to get them there is deliberate and documented.

The target's mobile data is first deliberately blocked by their telecom provider, working in coordination with the authorities deploying the spyware. With their data cut off, the target receives an SMS instructing them to install an app to restore their connectivity and update their phone. The app is the spyware.

Once installed, Morpheus abuses Android's built-in accessibility permissions, which allow it to read on-screen content and interact with other apps running on the device. It then displays a fake system update screen followed by a reboot prompt.

After rebooting, it then spoofs the WhatsApp interface and prompts for biometric verification, claiming a routine account check was initialized. That biometric tap unknowingly authorizes the spyware to add a new device to the target's WhatsApp account, handing Morpheus full access to their messages and contacts. 

Researchers also found Italian-language code fragments and cultural references embedded in the malware, consistent with patterns seen in other Italian spyware campaigns.

Who is behind Morpheus

Osservatorio Nessuno linked Morpheus to IPS, an Italian company with more than 30 years of experience providing lawful interception technology to law enforcement and intelligence agencies. IPS operates in more than 20 countries and counts several Italian police forces among its listed clients. 

Researchers believe Morpheus was used to target political activists, though specific targets were not disclosed. The case adds IPS to a growing list of Italian surveillance vendors exposed in recent years, including CY4GATE, eSurv, RCS Lab, and SIO. In April 2026 alone, WhatsApp notified 200 users that they had installed a fake version of the app containing spyware linked to SIO.

What Android users should know

Morpheus does not spread through the Google Play Store and cannot install itself silently. The attack depends on the target manually installing an APK from outside official app stores. Any unexpected SMS prompting a phone update, particularly one that arrives alongside a sudden loss of mobile data, should be treated as suspicious. Android's accessibility permissions are powerful and should never be granted to an app that arrived via a text message link.

In recent security news, a separate threat group was caught impersonating IT helpdesk staff on Microsoft Teams to deploy custom malware on enterprise networks.