Home · Live brief · Daily brief 2026-06-01
Italy's low-cost commercial spyware economy: Accessibility-API abuse as the cheap alternative to zero-days
Entities: Italy's low-cost commercial spyware economy
Part of run 2026-06-01-7f55e064 (intel · Claude Opus 4.8)
Background. The commercial-spyware conversation in Europe has been dominated by high-tier zero-click vendors — NSO Group's Pegasus and, in Italy specifically, Paragon Solutions' Graphite, whose contract with Italian intelligence agencies was terminated after public disclosure earlier in the Paragon scandal. European Digital Rights (EDRi) and the Italian NGO Osservatorio Nessuno have now documented the layer beneath that headline market: a domestic, low-cost Android-trojan industry that achieves persistent surveillance without any exploit at all (EDRi, 2026-05-28). The technical analyses of the two named tools — Morpheus and Spyrtacus — were published by Osservatorio Nessuno in April 2026 and resurfaced in late-May 2026 regional reporting; this deep dive is built on those primary investigations.
The two tools and who builds them. Morpheus (version 2025.3.0 analysed) is linked to IPS Intelligence (IPS Public Security S.p.A.) (Osservatorio Nessuno — Morpheus, 2026-04-23); Spyrtacus is actively developed by SIO S.p.A. and, per Osservatorio Nessuno's separate analysis, relies on DexGuard obfuscation and an InMemoryDexClassLoader loading stage rather than Morpheus's Accessibility-driven approach (Osservatorio Nessuno — Spyrtacus, 2026-04-09). Both are Android implants delivered by social engineering — fake carrier-update SMS or impersonated apps requiring only a user-initiated install — rather than by a zero-day, which is precisely why they are cheap and why they evade the assumption that "no exploit, no compromise."
Mechanics — privilege without a vulnerability. The infection chain is an abuse chain, not an exploit chain. Morpheus uses a two-stage model that leans on three legitimate Android subsystems: the Accessibility Services API, overlay permissions (SYSTEM_ALERT_WINDOW), and Android Debug Bridge (ADB). Once a user grants Accessibility — the single consent the whole chain hinges on — the implant programmatically self-grants further dangerous permissions and drives the UI, an elevation-by-design pattern mapped to T1626 Abuse Elevation Control Mechanism and T1516 Input Injection. Concretely, Morpheus spoofs a biometric-prompt overlay on top of WhatsApp's account-linking screen to pair an attacker device (capturing the linked session), records audio and video, and — notably for hunt teams — disables the camera and microphone privacy indicators by issuing device_config settings via ADB, and actively terminates installed mobile-AV products (Bitdefender, Sophos, Avast, AVG, Malwarebytes) to protect itself (Osservatorio Nessuno — Morpheus, 2026-04-23). The AV-killing and indicator-suppression are the behaviours most amenable to detection, because they are loud relative to the otherwise-quiet permission abuse.
Scale and the oversight gap — why this is a public-sector story. EDRi reports that Italian prosecutors authorised roughly 5,200 trojan-based interceptions in 2024 alone — a volume far exceeding any other EU member state — at a per-day cost of a few euros, with no centralised oversight: authorisation is local to individual judges, and targets cannot determine which vendor's tool was used or whether authorisation was proper, while EU internal-market rules let these vendors operate across member states with little friction (EDRi, 2026-05-28). EDRi calls for an EU-wide ban on the commercial-spyware trade backed by binding transparency obligations (EDRi, 2026-05-28). For a Swiss/EU public-sector SOC the relevance is twofold: officials, journalists and civil-society contacts are within the documented target class, and the delivery method works against any managed Android fleet because side-loaded APKs (delivered via carrier cooperation or direct messaging) bypass the Play-Store-sourcing assumption that Play Protect enforces.
Detection and hardening for managed Android fleets (no IOCs). The defensible controls are MDM- and MTD-centric, anchored on the consent the implant cannot avoid asking for:
- Alert on any Accessibility Service grant to an APK not on the approved-app list and quarantine the device — this is the chokepoint of the whole chain.
- Treat termination of a registered Mobile Threat Defence / mobile-AV agent within ~30 s of a new APK install as a high-confidence indicator (Morpheus's AV-killing).
- Alert on
SYSTEM_ALERT_WINDOWoverlay activity from a non-Play-sourced APK, especially overlays on messaging apps (the WhatsApp biometric-prompt spoof). - Disable ADB over network (
adb tcpip) via MDM policy, and enforce Android Enterprise Fully Managed Device mode so users cannot side-load APKs at all; keep Play Protect enabled and non-killable (Google's March 2026 Play Protect update restricts Accessibility abuse for side-loaded apps). - On the regulatory side, Swiss agencies procuring interception tooling should note the Swiss FADP/
DatenschutzgesetzandInformationssicherheitsgesetzexposure the Italian oversight failure illustrates.
The strategic point for defenders: the cheap end of the commercial-spyware market has industrialised permission abuse as a substitute for exploit development, which moves the detection burden off "patch the zero-day" and onto "govern Accessibility/overlay/ADB consent on the fleet" — a control surface most Android MDM deployments do not yet alert on.