Android users are being warned about a sophisticated spyware campaign that disguises malicious software as legitimate system updates, exploiting trust in routine maintenance to gain access to sensitive data. The malware, identified as Morpheus, has been linked to an Italian technology firm with ties to law enforcement and intelligence agencies, raising concerns about the growing availability of surveillance tools designed to mimic legitimate software updates.
According to research by Osservatorio Nessuno, an Italian digital rights organization, the Morpheus spyware operates by first interrupting a target’s mobile data connection, then sending a deceptive SMS prompting the user to install a fake update application. Once installed, the app requests access to Android’s accessibility features, which it abuses to monitor screen content, intercept messages, and hijack WhatsApp accounts without the user’s knowledge. The spyware does not rely on zero-day exploits but instead uses social engineering to trick users into granting permissions, making it a “low cost” option for surveillance operations.
The investigation traced Morpheus to IPS, an Italian company that has provided lawful interception technology to government clients for over 30 years. IPS supplies tools used by authorities to capture real-time communications from phone and internet networks, and while its website lists operations in more than 20 countries, the Morpheus spyware was not previously disclosed as part of its product portfolio. Several Italian police forces are named among IPS’s customers for its traditional interception systems, though the company has not publicly commented on its involvement with Morpheus.
Security researchers note that the spyware’s method of infection marks a departure from more advanced surveillance tools used by groups like NSO Group or Paragon Solutions, which often rely on undisclosed vulnerabilities to install malware remotely without user interaction. In contrast, Morpheus depends entirely on the target installing the malicious app themselves after being misled by a fake update prompt. This reliance on user action reduces the technical sophistication required but increases the importance of user awareness in preventing infection.
The campaign highlights a broader trend in which government-linked spyware vendors are increasingly distributing surveillance tools through consumer-facing channels, blurring the line between lawful interception and covert monitoring. As mobile devices continue to store vast amounts of personal and professional data, the ability to compromise them through seemingly legitimate updates poses a significant risk to privacy and security, particularly when such tools are deployed without transparent oversight or judicial authorization.
To protect against threats like Morpheus, users are advised to only install applications from official sources such as the Google Play Store, to scrutinize unexpected SMS messages urging app installations, and to regularly review which apps have been granted accessibility or notification access in Android settings. Disabling installation from unknown sources and keeping the operating system updated remain critical defenses against social engineering-based malware.
As of the latest reports, there have been no public announcements regarding legal actions, regulatory responses, or official statements from IPS concerning the Morpheus findings. Osservatorio Nessuno continues to monitor the distribution of the spyware and has called for greater transparency from companies that develop surveillance technologies used by state entities.
Stay informed about emerging mobile security threats by following trusted technology news sources and official cybersecurity advisories. Share this article to help others recognize the signs of deceptive update scams and protect their devices from surveillance malware.