.jpg)
-1.png)
A new Android spyware has been uncovered by Osservatorio Nessuno, an Italian digital rights organisation.
Named Morpheus, this spyware stands out for its remarkably simple yet effective approach: rather than exploiting costly technical vulnerabilities, it relies on sophisticated social engineering to get its targets to install the spyware on their Android devices themselves.
A simple but effective attack method
In the case documented by the researchers, the attack begins with the deliberate blocking of the target's mobile data by their own telecom provider, at the request of the operation's sponsors. Cut off from connectivity, the victim receives an SMS prompting them to install an application to "restore their connection" or "update their phone".
According to Osservatorio Nessuno, this mechanism, disrupting a service to push the target into installing the application, is the standard approach for low-cost spyware, although it can take other forms.
Once installed, Morpheus abuses Android's accessibility permissions to read screen content, interact with applications and take control of the device. It displays a fake update screen while silently granting itself all necessary permissions in the background. The spyware also disables antivirus software present on the device and enables wireless debugging to maintain persistence.
But Morpheus's most striking technique targets WhatsApp. The spyware displays a fake biometric screen mimicking the application, asking the victim to verify their identity. When the victim places their finger on the sensor, they unknowingly authorise the addition of a linked device to their WhatsApp account, giving the attacker complete, real-time access to all their messages and contacts.
Beyond WhatsApp, Morpheus can also record audio and video, take screenshots, exfiltrate files stored on the device and erase its own traces.
Who is behind Morpheus
Osservatorio Nessuno researchers have linked the spyware to IPS, an Italian company specialising in lawful interception technology for over 30 years, operating in more than 20 countries and counting several Italian police forces among its clients.
Morpheus is classified as a "lawful interception" surveillance tool, designed for use by government agencies and law enforcement, which explains how the operation's commanders can leverage formal agreements with telecom operators to target their victims.
A Commercial Spyware Market That Is Industrialising
Morpheus is not an isolated case. IPS joins a growing list of commercial spyware vendors exposed in recent years: CY4GATE, eSurv, RCS Lab, and most recently SIO. In April 2026, WhatsApp notified around 200 users who had installed a fake version of the application containing spyware linked to SIO.
In 2025, a professional mobile device has an average of 15 malicious applications, up from 9 in 2023.
These spyware tools do not necessarily require advanced technology, unlike Pegasus or Graphite, which exploit costly and sophisticated zero-click vulnerabilities. On the contrary, Morpheus illustrates the emergence of a category of "low cost" spyware, technically simpler but just as invasive, that leverages privileged access to infrastructure and operators to deploy particularly effective social engineering.
How Pradeo Protects Against This Type of Threat
Morpheus's attack method exploits several weaknesses in mobile device security. Pradeo Mobile Threat Defense addresses each of them.
-
Malicious application detection.
Pradeo detects malicious applications installed on devices, including those installed outside official stores via sideloading, exactly the infection mechanism used by Morpheus. The solution identifies suspicious behaviours before the application can access device data. -
Permission abuse detection.
The solution identifies applications that request excessive permissions or abuse Android's accessibility services, the core mechanism exploited by Morpheus to take control of the device. -
Risky configuration detection.
Pradeo detects devices whose configuration increases vulnerability to attacks: developer mode enabled, wireless debugging enabled, unknown sources authorised for application downloads. These are exactly the vectors exploited by Morpheus to maintain persistence and weaken device security. -
SMS phishing protection.
The phishing SMS is the entry point of the Morpheus attack. Pradeo detects and blocks smishing attempts, preventing the user from clicking on the malicious link before infection occurs.
A Warning Sign for Organisations
Morpheus is a reminder that the most effective mobile threats are not always the most technically sophisticated. A "low cost" spyware capable of disabling mainstream antivirus solutions and spying on a device raises the question of what type of protection is truly needed on mobile. Traditional signature-based detection is not sufficient against threats designed to bypass it.
.jpg?height=100&name=1711636314862%20(1).jpg)
-1.png)
-3.png)
