A government spyware company built a convincing fake version of WhatsApp, tricked around 200 people into installing it, and used it to read their messages, access their cameras, and record their audio. WhatsApp caught them — but the story behind it is bigger than one bad app.
What Happened
On April 1, WhatsApp announced that it had identified approximately 200 users — mostly in Italy — who were deceived into installing a counterfeit iOS version of the app. The fake wasn’t a crude knockoff. It looked and functioned enough like WhatsApp to fool its targets.
Behind the operation was ASIGINT, a subsidiary of the Italian surveillance firm SIO Spa. According to its own website, SIO partners with “Law Enforcement Agencies, Government Organizations, Police and Intelligence Agencies.” The company has been in the surveillance business for over 30 years.
This wasn’t the first time SIO pulled this trick. In 2025, researchers documented a family of malicious Android apps called Spyrtacus — also built by SIO — that impersonated WhatsApp and mobile carrier support apps to extract messages, contacts, and call logs from targets’ phones.
How the Attack Worked
The fake WhatsApp app was not distributed through the Apple App Store. Instead, SIO used targeted social engineering — convincing specific individuals to download and install the app outside of official channels (a process called sideloading on iOS).
Once installed, the app gave its operators access to the target’s messages, contact list, audio recordings, and camera. WhatsApp stressed that its legitimate app was not compromised: “This was not a WhatsApp vulnerability — end-to-end encryption continues to protect communications” on official installations.
WhatsApp’s security team proactively detected the fake client, immediately logged out all affected users, and sent direct warnings urging them to uninstall the malicious app and reinstall the real one.
Italy’s Growing Spyware Problem
SIO is far from an outlier. Italy has quietly become one of Europe’s most active hubs for commercial surveillance technology. Companies including Cy4Gate, eSurv, GR Sistemi, Negg, Raxir, and RCS Lab all sell interception and monitoring tools, many of them to government clients.
Italy also maintains one of Europe’s most permissive legal frameworks for lawful interception. Prosecutors have broad surveillance authority, and oversight is fragmented across local judicial levels. Italian authorities have even used mobile carriers to distribute phishing links to targets on behalf of law enforcement.
This pattern keeps repeating. In early 2025, U.S.-Israeli firm Paragon Solutions was caught targeting Italian journalists and pro-immigration activists with its Graphite spyware — an operation that eventually forced Paragon to terminate its Italian intelligence contracts. Before that, it was NSO Group’s Pegasus. Before that, Hacking Team.
The commercial spyware industry treats government contracts as a legitimising force. The targets are often journalists, activists, and political dissidents — people who rely on encrypted messaging precisely because they face real threats.
What WhatsApp Is Doing About It
Meta announced it will send a formal legal demand ordering SIO to halt all such activity. This follows WhatsApp’s precedent of holding spyware vendors accountable through legal action — most notably its lawsuit against NSO Group, which resulted in a U.S. court ruling that NSO had violated federal hacking laws.
WhatsApp has also publicly named ASIGINT and SIO, a move designed to increase accountability in an industry that thrives on secrecy.
How to Protect Yourself
The attack relied entirely on social engineering — not on breaking encryption. That means your defences are straightforward:
Only install apps from official stores. Never sideload messaging apps, regardless of who sends you the link. If someone — even someone you trust — sends you a link to “install” or “update” WhatsApp, ignore it.
Verify app authenticity. Check that your messaging apps come from verified publishers in the App Store or Google Play. Look at the developer name, review count, and download numbers.
Use messaging apps with default encryption. WhatsApp, Signal, and Threema all encrypt messages by default. But encryption only protects you when you’re running the genuine app. A fake app can capture everything before encryption even enters the picture.
Watch for unusual behaviour. If your phone’s battery drains faster than normal, data usage spikes unexpectedly, or your messaging app asks you to “verify” by reinstalling, treat it as a red flag.
Keep software updated. Both your messaging apps and your device operating system. Updates patch the vulnerabilities that spyware exploits.
Why This Matters
Encryption works. WhatsApp’s end-to-end encryption was never broken in this attack. The spyware company had to build an entirely separate app and trick people into installing it — because it couldn’t crack the real thing.
That’s an important point when governments argue that encryption is a barrier to law enforcement. The SIO operation shows that even with strong encryption in place, surveillance vendors find ways around it. Weakening encryption wouldn’t make targeted surveillance easier — it would just make mass surveillance of everyone else possible.
For anyone choosing privacy-respecting tools, the lesson is clear: the technology does its job, but you still need to verify that you’re actually using the real thing. Download from official sources, stay sceptical of unsolicited installation links, and pick services where encryption is the default — not an afterthought you have to hunt for.