WhatsApp Notified 200 Users of Italian SIO Spyware — Here’s What You Need to Know

WhatsApp has notified approximately 200 users that they were targeted by Spyrtacus, a full-device spyware implant developed by the Italian surveillance company SIO. The notification — proactively sent by Meta’s WhatsApp security team — is one of the clearest examples yet of a major platform using its visibility into attack infrastructure to warn targeted individuals. The investigation was conducted in collaboration with Access Now and the Citizen Lab at the University of Toronto, two of the world’s leading civil-society digital security research organisations.

SIO operates in the so-called “lawful intercept” market — selling surveillance tools to government and law enforcement clients — but the targeting of the 200 notified individuals raises serious questions about misuse, mission creep, and the accountability framework (or lack thereof) governing European commercial spyware vendors outside the better-known NSO Group orbit.

Who Is SIO and What Their Spyware Does

SIO (Sistema Informativo Operativo) is an Italian company operating in the commercial surveillance software market. Unlike the headline-grabbing NSO Group or Intellexa, SIO has maintained a lower public profile — selling primarily to Italian law enforcement and intelligence agencies, though the scope of client relationships remains unclear given the company’s opacity.

The company’s flagship product, Spyrtacus, is a full-device implant designed for Android (with iOS capabilities also documented by researchers). When successfully installed, Spyrtacus achieves persistence at the system level and grants operators: real-time GPS location tracking, activation of the device microphone and front/rear cameras without user awareness, exfiltration of contacts, messages across all major apps, call records, and credentials. The implant also establishes a covert command-and-control (C2) channel — unusually, routing traffic through cloud storage relay services to obscure the ultimate destination of exfiltrated data and complicate attribution.

How the Attack Was Delivered

The delivery mechanism documented by Access Now and Citizen Lab is a fake app distributed as an APK (Android Package Kit) outside the Google Play Store. The malicious applications were crafted to impersonate legitimate apps — commonly used messaging or utility apps that potential targets might plausibly install. Targets received messages (via WhatsApp or other channels) encouraging them to install the fake app, often with social engineering pretexts.

Once the APK was installed, Spyrtacus exploited Android permission escalation techniques to acquire device-wide privileges. The malware requested permissions that superficially appeared related to the fake app’s stated function, then used those permissions as footholds for deeper system access. It also leveraged Android’s Accessibility Services in certain documented versions — a common technique for Android spyware that allows apps to observe and interact with all on-screen content across every application.

The C2 infrastructure used a cloud storage relay architecture — routing exfiltrated data and operator commands through consumer cloud storage services, making traditional network-level detection and blocking significantly harder. This technique has been documented in several commercial spyware families and represents a meaningful evasion evolution compared to earlier direct C2 server architectures.

WhatsApp’s Proactive Notification

WhatsApp’s decision to proactively notify approximately 200 identified targets is significant and relatively rare in the industry. The notification was possible because Meta’s threat intelligence team identified infrastructure associated with the SIO campaign — attack infrastructure that was using WhatsApp as a delivery or reconnaissance channel.

TechCrunch has reported extensively on WhatsApp’s approach to combating commercial spyware, and this notification follows a pattern Meta established after its landmark 2019 lawsuit against NSO Group. Meta has committed to using its visibility into messaging infrastructure to identify and notify users targeted by commercial surveillance tools. The platform is not in a position to remove the spyware — that requires device-level remediation — but notification gives targeted individuals the opportunity to seek help.

Access Now’s Digital Security Helpline is specifically mentioned by WhatsApp as a resource for notified users — providing free, expert technical support for civil society members, journalists, and human rights defenders who believe they have been targeted by advanced surveillance.

What Users Should Do

If you received a WhatsApp notification about this campaign — or believe you may have been targeted — the first step is to contact Access Now’s Digital Security Helpline, which provides free, confidential support to civil society, journalists, activists, and human rights defenders. Do not attempt to remove spyware yourself without expert guidance, as some removal attempts can destroy forensic evidence needed for investigation.

For the general population, the key protective measures are: never install APKs from outside the Google Play Store, enable Google Play Protect, keep Android and all apps fully updated, and treat unsolicited links or app installation requests with extreme scepticism — even if they appear to come from trusted contacts (whose accounts may have been compromised).