WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action

Summary

Meta's WhatsApp warned approximately 200 users, primarily in Italy, who were deceived into installing a counterfeit iOS app containing spyware. The threat actors employed social engineering to distribute the malicious app, and WhatsApp has taken action against Asigint, an Italian subsidiary of spyware vendor SIO, for creating the fraudulent version. All affected users were logged out and advised to uninstall the malware and download the official app.

Full text

WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action Ravie LakshmananApr 02, 2026Surveillance / Mobile Security Meta-owned messaging platform WhatsApp said it alerted about 200 users who were tricked into installing a bogus version of its iOS app that was infected with spyware. According to reports from Italian newspaper La Repubblica and news agency ANSA, the vast majority of the targets are located in Italy. It's assessed that the threat actors behind the activity used social engineering tactics to get users to install malicious software that mimicked WhatsApp. All the affected users have been logged out and have been recommended to uninstall the malware-laced apps and download the official WhatsApp app. WhatsApp did not reveal who was targeted in these attacks. The tech giant said it's also taking action against Asigint, an Italian subsidiary of spyware company SIO, for allegedly creating a counterfeit version of WhatsApp. On its website, the company advertises solutions to law enforcement agencies, government organizations, and police and intelligence agencies for monitoring suspect activities, gathering intelligence, or conducting covert operations. In December 2025, TechCrunch reported that SIO was behind a set of malicious Android apps that masqueraded as WhatsApp and other popular apps but stole private data from a target's device using a spyware family called Spyrtacus. The apps are believed to have been used by a government customer to target unknown victims in Italy. SIO is one of the many Italian companies selling surveillance tools, including Cy4Gate, eSurv, GR Sistemi, Negg, Raxir, and RCS Lab, turning the country into a "spyware hub." Early last year, WhatsApp alerted around 90 users that they were targeted with Paragon Solutions' spyware known as Graphite. Then, in August 2025, it notified less than 200 users who may have been targeted as part of a sophisticated campaign by chaining together zero-day vulnerabilities in iOS and the messaging app. The development comes a little over a month after a Greek court sentenced Tal Dilian, the founder of the Intellexa Consortium, and three associates, Sara Hamou, Felix Bitzios, and Yiannis Lavranos, to prison for their role in the illegal use of the vendor's Predator spyware to target politicians, business leaders, and journalists in the country. The 2022 surveillance scandal, dubbed Predatorgate or Greek Watergate, prompted the European Parliament to launch a formal inquiry into the use of such tools. However, a new law passed that year has since legalized government use under strict conditions. In July 2024, the Greek Supreme Court cleared the state intelligence service and government officials of wrongdoing. "Questions remain about the role of the Greek government, which has consistently denied purchasing or using Predator," Amnesty International said. "Transparency is a crucial part of accountability – as is remedy for the many victims of the human rights violations brought about by the unlawful use of this technology." In a statement shared with Reuters late last month, Dilian said he intends to appeal the decision, adding, "I believe a conviction without evidence is not ⁠justice, it could be part of a cover-up and even a crime." Italy and Greece are far from the only European countries to be caught in the spyware technology's crosshairs. Back in January 2026, Spain's High Court closed its probe into the use of NSO Group's Pegasus to spy on Spanish politicians, citing a lack of cooperation from Israeli authorities. The case dates to May 2022, when the Spanish government disclosed that the Israeli company's spyware had been used to eavesdrop on devices belonging to Prime Minister Pedro Sánchez and Defence Minister Margarita Robles. Companies like Intellexa and NSO Group have consistently maintained that their surveillance technology has only been licensed to governments to fight serious crimes and bolster national security. NSO Group's Executive Chairman David Friedman said the "world is a far safer place" when the company's tools "are in the right hands within the right countries." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, data privacy, European Union, iOS, Malware, mobile security, spyware, surveillance, Whatsapp Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• malware — Spyrtacus
• malware — Graphite
• malware — Predator
• malware — Pegasus

Entities