When a false download spies on you: the WhatsApp case and the corporate surveillance boom

WhatsApp has detected a campaign in which about 200 users were induced to install in their iPhones a false version of the app that was infected with spyware. Most of the people affected, according to press reports, were in Italy, and the technique used by the attackers was basically social engineering: to convince the victim to install a software that impersonated the legitimate application.

The company ensures that all identified users have been disconnected from their accounts and that they have been recommended to remove the malicious application and reinstall the official version of WhatsApp. Meta has also announced measures against Asigint, an Italian subsidiary of the SIO company to which it attributed the creation of this fraudulent copy. In their own commercial material, Asigint (and other industry firms) offers surveillance tools to police, intelligence agencies and governments for tasks ranging from monitoring suspects to undercover operations.

This episode is not isolated. In December 2025 a technical report pointed to SIO as responsible for a set of Android applications that supplanted popular services and used a family of spyware named Spyrtacus to extract private data from devices. It was said that these packages were reportedly deployed by a government client against targets in Italy. The phenomenon fits into a broader picture: in recent years several commercial suppliers of surveillance tools - names such as Cy4Gate, eSurv, GR Sistemi, Negg, Raxir or RCS Lab have appeared repeatedly in the research - have emerged in Italy, to the extent that some analysts describe the country as a European focus of these technologies.

WhatsApp had previously alerted about spyware campaigns. In early 2025 he warned about 90 users who could be the target of Graphite, the spyware attributed to Paragon Solutions. Later, in August of that same year, he notified hundreds of other users that they might have been victims of a sophisticated operation that chained unknown vulnerabilities (zerodays) in iOS and in the app itself.

The movement and use of these tools have also ended in the courts. In Greece, the founder of the Intellexa consortium, Tal Dilian, and three collaborators were condemned for the illegal use of the Predator spyware to monitor politicians, journalists and entrepreneurs, in a scandal known as "Predatorgate" or "Greek Watergate." This case led the European Parliament to open an investigation into the use of such technologies, although subsequent investigations and judicial decisions have been complex and contradictory: a law passed in Greece regulated and, under strict conditions, legalized the use of certain tools by the Government; months later, the Greek Supreme Court acquitted State intelligence and officials involved in some proceedings. Human rights organizations have stressed the need for transparency and redress for victims.

In Spain, for its part, the investigation into the use of Pegasus spyware, developed by NSO Group, experienced a judicial closure in January 2026 due to the lack of cooperation of the Israeli authorities, in a case dating back to 2022 which involved devices from the Prime Minister himself and the Minister of Defence. The pattern is repeated in several countries: companies such as NSO or Intellexa argue that their products are only released to States to fight serious crimes and protect national security, while critics and victims report abuse, lack of control and damage to fundamental rights.

What can a user do to reduce risk? First of all, always download the applications from the official stores or from the verified channels of the developer himself and distrust of links or instructions to install applications from outside the official ecosystem. Keeping iOS up-to-date is another important barrier, because many farms are based on failures that the patches correct. WhatsApp and other platforms also recommend activating verification in two steps for the account, reviewing device management profiles (such as MDM profiles) and, in the face of the suspicion of an infection, doing a complete cleaning of the terminal or consulting with a reliable technical service.

The public debate around these technologies requires questions about the limits between security and rights. While some Governments appeal to the need for powerful tools to combat crime and terrorism, the practical consequences of their misuse - mismonitoring journalists, activists or political opponents - have led to investigations and demands in several countries, as well as demands for greater transparency and control. To better understand this area, it is necessary to consult both the official statements of the companies involved and the reports of research journalists and human rights organizations.

If you want to deepen, you can read the notes and coverage of the media and organizations that have followed these cases: the general press coverage in La Repubblica and the agency ANSA the information space of WhatsApp, technological research work in TechCrunch and analysis and transparency demands on pages such as Amnesty International or institutions such as European Parliament. For international coverage and judicial follow-up, the Reuters or newspapers with rigorous monitoring are also valuable resources.

In short, recent incidents recall that the threat is not only technical but also human: social engineering remains the most effective gateway for malicious actors. The defense goes through information, good practices and, above all, transparency and control over who produces and sells these intrusion tools.