Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 03, 2026 · 6 min read

An Italian Spy Firm Built a Fake WhatsApp That Took Over Your Entire Phone

WhatsApp just notified roughly 200 users that they had installed a counterfeit version of the app, built by an Italian government spyware vendor, which could record calls, read messages, and silently activate the camera.

Smartphone on dark table showing a messaging app with subtle surveillance overlay

What Happened

On April 1, 2026, WhatsApp disclosed that Italian surveillance firm SIO, through its subsidiary Asigint, had created a fake version of the WhatsApp app for iPhones. The counterfeit app looked and functioned like the real thing, but it contained Spyrtacus, a spyware tool that gave operators near total access to the victim's device.

WhatsApp identified approximately 200 affected users, primarily located in Italy. The company logged them out, alerted them to the compromise, and urged them to delete the fake app and reinstall the official version from the App Store.

How Spyrtacus Worked

The fake WhatsApp was not distributed through official app stores. Instead, targets were tricked through social engineering into downloading and installing it from outside the App Store, likely via direct messages or phishing pages that impersonated WhatsApp's download portal.

Once installed, Spyrtacus could:

  • Extract messages and contact lists from the device
  • Capture call logs and record phone conversations
  • Activate the microphone to listen to surroundings
  • Activate the camera to photograph the environment

WhatsApp confirmed that the attack did not exploit any vulnerability in WhatsApp itself. The entire operation relied on convincing people to install a trojanized clone, a technique that sidesteps every technical security measure the real app provides, including end to end encryption.

Who Is Behind It

SIO Spa is an Italian company that has been providing surveillance technology to law enforcement and government agencies for over 30 years. Asigint, the subsidiary that built the fake WhatsApp app, develops the Spyrtacus spyware family.

TechCrunch first reported the connection between SIO and Spyrtacus malicious Android apps in 2025. The April 2026 disclosure reveals the operation has expanded to target iPhone users through fake iOS apps, a significant escalation in capability and ambition.

The operation fits a broader pattern of European governments quietly purchasing and deploying commercial spyware. Italy is still dealing with the fallout from a separate surveillance operation exposed in early 2025 that used spyware from Paragon Solutions, the same firm whose Graphite tool ICE now uses.

Why This Matters Beyond WhatsApp

The fake app approach represents a strategic shift in how government spyware vendors operate. Companies like NSO Group built their reputation on sophisticated zero click exploits that could compromise a phone without the target doing anything. Those exploits are expensive, difficult to develop, and increasingly detected by companies like Apple and Google.

SIO's approach is cheaper and simpler: build a convincing fake app and trick the target into installing it. No zero day required. The tradeoff is that it requires social engineering, making it less scalable, but against targeted individuals like journalists, activists, and political figures, it is alarmingly effective.

This is the second time in 15 months that Meta has publicly disrupted spyware activity in Italy, suggesting the country has become a hotspot for commercial surveillance operations in Europe. Italy's proximity to multiple spyware vendors and its history of purchasing these tools from firms like Hacking Team creates an environment where government spyware threats are persistent.

How to Protect Yourself

  • Only install apps from official stores. Never install messaging apps from links sent via email, SMS, or other messages. Go directly to the App Store or Google Play.
  • Enable Lockdown Mode on iPhone. Apple's Lockdown Mode blocks most sideloaded app installation paths and has a strong track record against spyware.
  • Verify app authenticity. Check the developer name in the app store listing. The real WhatsApp is published by "WhatsApp Inc."
  • Watch for unusual permission requests. A messaging app that asks for camera and microphone access at odd times, or that appears to drain battery unusually fast, warrants investigation.
  • Keep your OS updated. Both iOS and Android have added protections against sideloaded malicious apps in recent updates.

The Bigger Picture

The commercial spyware industry is not going away. Despite sanctions against NSO Group, legal actions against surveillance vendors, and growing public outrage, the market continues to expand. New players like SIO fill the gaps left when high profile vendors face restrictions.

The shift from zero click exploits to fake app distribution also means the threat is democratizing. Building a convincing clone of a popular app requires far less technical sophistication than discovering a zero day in iOS. If a mid tier surveillance firm can pull it off, so can less scrupulous actors with smaller budgets.

For the 200 people who installed this fake WhatsApp, the consequences are severe: their private conversations, contacts, call history, and potentially even their physical surroundings were exposed to whoever operated the Spyrtacus infrastructure. And they may never know exactly who was listening.