Italian spyware maker SIO, known to sell products to government customers, pretends to be WhatsApp and other popular apps, but behind a series of malicious Android apps that steal private data from targeted devices It is located in.
Late last year, security researchers shared three Android apps with TechCrunch, claiming it is likely government spyware used against unknown victims in Italy. TechCrunch asked Google and mobile security company Lookout to analyze the app, both of which confirmed that the app was spyware.
This finding shows that the government’s spyware world is broad, both in terms of the number of companies developing spyware and the various techniques used to target individuals.
In recent weeks, Italy has been caught up in an ongoing scandal that includes allegations of using sophisticated spy tools created by Israeli spyware maker Paragon. SPYware is said to have been used against journalists and two founders of an NGO that remotely targets WhatsApp users, steals data from their mobile phones, and supports and rescues Mediterranean immigrants.
For malicious apps shared with TechCrunch, Spyware Maker and its government customers used more pedestrian hacking technology. Development and distribution of malicious Android apps that pretend to be popular apps like WhatsApp, as well as customer support tools provided by mobile phone providers.
Security researchers at Lookout concluded that the Android spyware shared with TechCrunch is called Spyracus after finding the word in the code of an old malware sample that appears to refer to the malware itself.
Lookout told TechCrunch that Spyracus has all the features of government spyware. (A researcher from another cybersecurity company who independently analyzed TechCrunch’s spyware but asked not to name it, came to the same conclusion.) Spyrtacus stole text messages, Facebook Messenger, Signal, and you can steal chats from WhatsApp. exfiltrate contact information. Record the phone and surrounding audio through the device’s microphone, and the image through the device’s camera. Among other features that are useful for monitoring purposes.
According to Lookout, all the Spyratacus samples provided to TechCrunch and some other malware the company analyzed earlier were all created by Sio, an Italian company that sells spyware to the Italian government .
Given that the apps and the websites used to distribute them are in Italian, it is plausible that spyware was used by Italian law enforcement.
Italian government spokesman and the Ministry of Justice did not respond to TechCrunch’s request for comment.
At this point, it is unclear who targeted the spyware, according to Lookout and other security companies.
inquiry
Do you have more information about SIO or other spyware manufacturers? From unprocessed devices and networks, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or by email. You can also contact TechCrunch via SecureDrop.
SIO did not respond to multiple requests for comments. TechCrunch also contacted SIO President and CEO Elio Cattaneo. Several senior executives, including CFO Claudio Pezzano and CTO Alberto Fabbri, TechCrunch did not respond.
Kristina Balaam, a Lookout researcher who analyzed the malware, found that the company discovered 13 different samples of Spyracus Spyware in the wild, the latest example, malware samples, dating back to 2019 and back to October 17, 2024. said they found 13 different samples. Other samples added by Balaam were discovered between 2020 and 2022. Some samples are apps that impersonate apps created by Italian mobile phone providers Tim, Vodafone and Windtor, Balaam said.
“According to current detections, no apps containing this malware will be found on Google Play,” said Google spokesman Ed Fernandez, which has enabled Android to protect the malware since 2022. He added. . Asked if an older version of Spyracus Spyware is available in Google’s App Store, Fernandez said this is all the information the company has.
Kaspersky said in a 2024 report that the people behind Spyracus began distributing Spyware through the Google Play app in 2018, but by 2019 it would become like Italy’s top internet providers. I switched to hosting the app on a malicious web page. According to Kaspersky, researchers also discovered Windows versions of Spyracus malware, and found signs pointing to the existence of malware versions of iOS and MacO.
Pizza, Spaghetti, Spyware
For 20 years, Italy has hosted some of the world’s early government spyware companies. SIO is the latest list of long lists of spyware manufacturers who have observed by security researchers that their products are actively targeting people in the real world.
In 2003, two Italian hackers David Vincenzetti and Valeriano Bedeschi have an international market for turnkey, easy to use, turnkey, easy to use spyware systems for law enforcement and government intelligence agency. It established a startup hacking team, one of the first companies to recognize. all over the world. The hacking team sold spyware to agents in Italy, Mexico, Saudi Arabia and South Korea, among other things.
Over the past decade, security researchers have discovered several other Italian companies selling spyware such as Cy4Gate, ESURV, GR Sistemi, Negg, Raxir, and RCS Lab.
Among these companies were spyware products distributed in a similar way to Spyracus spyware. Motherboard Italy discovered in a 2018 survey that the Italian Ministry of Justice has a price list and catalog. It shows how authorities can force telecom companies to send malicious text messages to surveillance targets. For example, their phone service is active.
In the case of Cy4Gate, the motherboard discovered in 2021 that it created a fake WhatsApp app to trick the target and install spyware.
There are several factors that refer to SIO as the company behind spyware. Lookout has discovered that some of the command and control servers used to remotely control malware are registered with a company called Asigint, a subsidiary of SIO. Computer eavesdropping.
Legal Intercept Academy, an independent Italian organization that issues compliance certifications for spyware manufacturers operating domestically, lists SIO as the certificate holder for spyware products called SIOAgent and makes ASIGINT the product. Listed as owner. In 2022, Surveillance and Intelligence Trade Publication Intelligence Online reported that SIO had acquired Asigint.
Michele Fiorentino is CEO of Asigint and is based in Caserta, an Italian city outside of Naples, according to her LinkedIn profile. Fiorentino said it had been working on the “Spyratus Project” with another company called DataForense from February 2019 to February 2020, implying that the company was involved in the development of Spyware.
According to Lookout, another command and control server associated with the spyware is registered with DataForense.
Dataforense and Fiorentino did not respond to requests for comments sent by email and LinkedIn.
According to Lookout and other unnamed cybersecurity companies, one of the Spyracus samples has a set of source code that points to potential developers from the Naples region. The source code contains the phrase “Scetáteve Guagliune ‘e Malavita.” This is a phrase from the Naples dialect and translated into “Boys of the Awakened Boys.” This is part of the lyrics to the traditional Neapolitan song “Gupapparia.”
This is not the first time an Italian spyware manufacturer has left a trace of their origins on spyware. In the case of ESURV, a now-deprecated spyware manufacturer in the southern part of Calabria, the developer left the word “Mundizza” in his spyware code, as it was exposed in 2019 for infecting innocent people’s phones. Ta. See the name of Calabrian footballer Gennaro Gatuso.
These are slight details, but all the signs point to the fact that SIO is behind this spyware. However, no one has been able to answer any questions about the campaign, whether which government customers were behind in using Spyracus Spyware.
Source link
