WhatsApp has warned approximately 200 users that they were deceived into downloading a counterfeit version of the messaging app built to spy on them. The app was not a glitch. It was a weapon.
The operation traces back to SIO, an Italian surveillance company that markets itself as a cyber intelligence provider to law enforcement and government agencies, and its subsidiary ASIGINT, which develops the actual surveillance tools. WhatsApp, owned by Meta Platforms Inc., disclosed the incident as part of what it described as a broader effort to publicly disrupt surveillance activity targeting its users.
The roughly 200 affected users were located primarily in Italy. Neither SIO nor Italian authorities provided immediate responses to requests for comment, according to reporting by Investing.com.
How the Fake WhatsApp Spyware Campaign Worked
The fraudulent app was not available through Apple's App Store or Google Play. Instead, SIO's operatives appear to have distributed it through phishing links, relying on social engineering tactics to convince targets they were downloading a legitimate update or alternate version of WhatsApp. Once installed, the app functioned as a delivery mechanism for a piece of spyware that security researchers have identified as "Spyrtacus."
Spyrtacus has a documented history. Researchers found the malware embedded in fake applications dating back to 2019, and identified 13 distinct samples of it through late 2024. The surveillance campaign was described by sources familiar with the operation as highly targeted, not a broad-based attack designed to sweep up large numbers of victims.
WhatsApp was direct about what its encryption does and does not protect against. The company emphasized that end-to-end encryption on the official app remained intact and that legitimate users of WhatsApp were not exposed through any vulnerability in the platform itself. The attack worked by bypassing encryption entirely: getting a target to install a malicious replacement rather than exploiting the real app's code.
A WhatsApp spokesperson confirmed the company could not share information about the identities of affected users, including whether any journalists, activists, or civil society members were among those targeted. That gap in disclosure reflects a recurring challenge in commercial spyware cases: the most sensitive question about who was surveilled often goes unanswered.
Meta's Encryption Promise and the Limits of Platform Security
WhatsApp's response illustrates a tension at the center of modern encrypted messaging. The platform has built its brand, and much of its legal defense against surveillance firms, on end-to-end encryption as a guarantee of private communication. Meta has pursued legal action against at least one other major spyware vendor, NSO Group, the Israeli firm behind the Pegasus surveillance software, over a 2019 attack that exploited vulnerability in WhatsApp's voice call feature.
This disclosure marks the second time in 15 months that Meta has publicly addressed spyware activity targeting WhatsApp users in Italy. That pattern points to Italy as a recurring site of commercial spyware deployment, a country with a documented market for government-grade surveillance tools sold to both domestic agencies and foreign clients.
SIO's business model fits a familiar template in the commercial spyware industry. The company positions itself as a legitimate vendor serving authorized law enforcement and intelligence clients. ASIGINT, its subsidiary, sits on the technical side of that arrangement, building the tools that operatives deploy in the field. That structure, a parent company providing legal cover while a subsidiary handles the technical work, mirrors arrangements used by other surveillance vendors scrutinized by digital rights researchers.
The social engineering method used here sidesteps the hardest problem in offensive cyber operations: finding software vulnerability. Instead of cracking WhatsApp's encryption, the operation relied on persuading targets to install a lookalike app themselves. That approach requires no zero-day exploit and leaves far less forensic trace on the platform being impersonated.
Commercial Spyware and the Growing Question of Government Authorization
The SIO operation arrives as governments and technology companies are negotiating the boundaries of legitimate surveillance in digital spaces. The Trump administration's cyber strategy, as analyzed by Lawfare, endorses expanding the role of private sector actors in cyber operations, including potential authorization for companies to conduct offensive cyber activities on behalf of state clients. That policy direction is relevant context for how commercially developed tools like Spyrtacus reach operational use.
WhatsApp's public disclosure, while limited in detail, follows a pattern the company has adopted since its legal confrontation with NSO Group: naming vendors, describing methods, and alerting targets directly rather than quietly patching and moving on.
The company's spokesperson confirmed it notified the approximately 200 affected users but declined to characterize what data may have been accessed or for how long the spyware operated on victims' devices.
For users outside Italy, the technical method carries its own warning. The fake WhatsApp was distributed outside official app stores, meaning any user who installs messaging apps from unofficial sources faces the same vector of attack regardless of geography.
WhatsApp's official guidance, consistent with this incident, is that users should download the app exclusively through Apple's App Store or Google Play and treat unsolicited links to app downloads with suspicion.
Disclaimer: This article was produced with the assistance of artificial intelligence tool but vetted by human editor.
Also Read: Iran Okays Execution of Citizens, Social Media Users for Spying Amid War with US, Israel
