Morpheus is a spyware, i.e. spy software, which was identified by the Nobody Observatory, an Italian non-profit organization active in the field of digital rights. Morpheus is designed to infect Android devices and could be traced back, according to the technical analysis conducted by the researchers, to the Italian company IPS SpA, active for over thirty years in the legal wiretapping sector (which has not yet left any statements on the matter). Morpheus is therefore not malware created by common cyber criminals: it is a professional surveillance tool (albeit low cost), designed to be sold to government agencies and law enforcement agencies, which raises relevant ethical and legal questions.
What makes it particularly interesting (and worrying from a cybersecurity perspective) is the relative ease with which it penetrates systems. Morpheus does not exploit hidden vulnerabilities in operating systems, but leverages the psychological manipulation of the user, the so-called social engineering, inducing him to install the malicious program independently. Once active, it gains advanced administrative privileges, bypasses WhatsApp biometric authentication, and operates invisibly in the background of the device.
How does Morpheus infect Android devices
The initial attack vector is an SMS apparently sent by the telephone operator, reporting a supposed problem with the mobile network or SIM card. The message redirects to a spoofed web portal, which graphically mimics official support channels, where you are prompted to download an application to resolve the issue. This first app acts as a dropper, a program that does not cause direct damage but acts as a means to install the real malicious agent on the device.
Once started, the app downloads and installs the actual spyware, disguising it behind icons that resemble those of system settings or security services. From this moment the spyware exploits Android’s accessibility services, that is, that family of functions designed to help users with disabilities interact with the device, to read the contents displayed on the screen and interact with other apps without the user realizing it. It also manages to disable antivirus and visual indicators that normally signal the use of the microphone and camera.
One of the most insidious aspects concerns the use of overlays, i.e. graphical interfaces superimposed on legitimate apps: restart screens or progress bars that appear to belong to the operating system, but in fact are not. They are built by spyware to disguise its actions.
When spying on WhatsApp chats, for example, Morpheus starts the connection procedure to a new device in the background. When the app requests fingerprint verification, the spyware displays a false system message: the user believes they are authorizing an update, but in reality they are giving Morpheus full access to their private conversations. You can see an example of how this happens by watching the playback of the following GIF.
How to defend yourself from Italian commercial spyware
Having understood the insidiousness of Morpheus, let’s see what to do to defend ourselves from spyware. There are two fundamental rules to always keep in mind. The first concerns the installation of apps: never consent to the download of apps of dubious reliability. If you suspect that you have already fallen victim to spyware like Morpheus, try to think clearly by following the instructions of the same researchers from Osservatorio Nobody:
Remember if there was anything unusual: an unexpected message, a phone call or a service interruption. Has someone asked you to install software, click on a link or share your credentials? Have any of your contacts received a notification from Signal or WhatsApp regarding a device change?
After having ascertained these facts, it may be useful to check the devices that are connected to your WhatsApp account (from the Settings/You > Connected devices section) and to your Google account (from the Security and access > Your devices section). This way you can identify suspicious sessions and log out of them.
Another factor to keep an eye on, according to the security researchers already mentioned, concerns abnormal battery consumption: a sudden drop in battery life, in the absence of intense use of the phone and an already worn out battery, can indicate an unauthorized activity that is taking place in the background.
