Spyware

Morpheus Android Spyware: Fake Updates and WhatsApp Hijacking

Italian-linked surveillance firm IPS Intelligence is tied to a new Android spyware, “Morpheus,” that tricks targets into installing a fake “update” app and then hijacks WhatsApp accounts using biometric-spoofing overlays. The case highlights how commercial spyware vendors are turning to mobile-phishing tactics to deploy powerful snooping tools.

MILAN, ITALY — Another commercial spyware vendor has been caught distributing fake Android apps that install powerful snooping software. Newly exposed research by the Italian digital rights organization Osservatorio Nessuno has identified a spyware family dubbed "Morpheus." The malware tricks victims into granting deep device permissions before hijacking WhatsApp accounts via a sophisticated biometric-spoofing workflow.

The discovery has been directly linked to IPS Intelligence, a long-standing Italian "lawful intercept" firm known for providing surveillance tools to police and intelligence agencies. The revelation raises fresh concerns regarding the abuse of state-linked technology against political activists and dissidents.

Morpheus Malware Profile
Metric	Detail
Primary Vector	Fake "System Update" Sideloading
Core Technique	Accessibility Service Abuse & ADB Pairing
Target Platforms	Android (Standard & Work Profiles)
Key Capability	WhatsApp Account Hijacking via Biometrics

The Attack Chain: Fake Updates and Permission Abuse

Morpheus does not rely on expensive "zero-click" exploits. Instead, it utilizes a highly effective social engineering chain that weaponizes legitimate Android features:

The Lure: Targets are directed to download a fake app masquerading as a critical "System Update," "SIM Fix," or "Network Status" tool.
Accessibility Hijack: Once installed, the app relentlessly prompts the user to enable Accessibility Services.
Automated Escalation: Once granted Accessibility power, Morpheus uses it to "read" the screen and automatically tap through menus to grant itself further privileges, including Device Administrator status and Wireless Debugging (ADB), without requiring root access.

Unlike the UAC-0247 campaign, which utilized malicious lures to harvest data from desktop browser sessions, Morpheus operates natively on the mobile device. By hijacking the mobile-app interface itself via Accessibility abuse, attackers bypass the need for a web-based intermediary.

Turning Phones into Surveillance Bugs

Once Morpheus establishes a foothold, it effectively turns the device into a 24/7 surveillance asset. According to TechCrunch and NotebookCheck, the spyware can remotely disable microphone and camera "kill-switches" in the Android Quick Settings panel, ensuring the victim has no visual indicator that they are being recorded.

The most innovative — and dangerous — feature of Morpheus is its WhatsApp Biometric Spoofing. The spyware detects when a user opens WhatsApp and launches a fake UI overlay that mimics the legitimate app. It prompts the user to "verify their identity" with a biometric tap (fingerprint or face scan). In the background, Morpheus uses that authentication to secretly link a malicious secondary device to the victim's WhatsApp account, granting the attackers full access to all past and future messages, files, and contacts.

The Commercial Spyware "Pivot"

The link to IPS Intelligence situates this incident within the broader global trend of commercial spyware companies moving toward "soft-hacking" methods. By using fake updates and overlay attacks, these firms can offer powerful surveillance capabilities at a fraction of the cost of traditional exploits.

This incident follows a pattern we have covered in previous reports on WhatsApp-security and mobile phishing. It reinforces that the greatest threat to high-risk individuals often isn't a complex code flaw, but the abuse of the very features designed to make mobile devices more accessible.

The CyberSignal Analysis: Strategic Signals

Signal 01 — The Death of the "Kill-Switch"

The ability for Morpheus to programmatically override hardware kill-switch indicators via Accessibility permissions is a significant blow to user privacy. It signals that software-based privacy controls are only as strong as the permissions granted to the most "helpful" apps on the phone.

Signal 02 — Biometric Spoofing as a Standard

The use of fake overlays to steal biometric authentication for "Linked Devices" is no longer a theoretical proof-of-concept. It is now a standard tool in the lawful-intercept chest, allowing spies to bypass end-to-end encryption by simply becoming a "legal" ghost participant in the conversation.

Signal 03 — The "Lawful Intercept" Shadow Market

The exposure of IPS Intelligence highlights the lack of oversight in the commercial surveillance market. When firms provide tools to "state clients" that are then found on the devices of activists, the line between crime-fighting and political suppression evaporates.

The exposure of IPS Intelligence provides a technical 'smoking gun' for the high-priority warnings recently issued by the NCSC regarding state-linked campaigns. While the NCSC focused on the intent, Morpheus reveals the exact mechanical workflow used to bypass E2EE platform defenses.