An application that promises to solve mobile internet connection problems hides a greater risk. Installation leads to software capable of monitoring practically everything that happens on the cell phone.
Pesquisadores from the Italian organization Osservatorio Nessuno identified the malware called Morpheus. The program presents itself as a system update or network configuration and can access screen, messages, audio, video and even link extra devices to WhatsApp without the owner noticing it immediately. The case gained attention this week after the release of the detailed report.
Como attack begins with service interruption
Telephony Operadoras participate in the first stage in some registered cases. Elas cuts off the target’s mobile internet access. Logo later, an SMS message arrives with a link to a website that simulates assistance from the operator, such as Fastweb in Itália. The user, without connection, tends to follow the guidance and install the suggested application.
The initial app, called dropper, has a package name of com.android.cored. Ele is only used to install the second stage, the main agent with package com.android.core and version 2025.3.0. Todo process exploits user trust in system updates.
- The dropper checks if the agent is already installed
- Copia the internal resources agent APK file
- Solicita external app installation permissions
- Executa automatic installation of full malware
Essa approach avoids complex exploits and relies on social engineering, which researchers classify as low-cost spyware.
Funcionalidades do Morpheus go beyond the basics
Depois installation, the agent activates Android accessibility services. Essa tool, created to help people with disabilities, allows you to read the screen, simulate touches and interact with other applications. Morpheus claims to be a legitimate accessibility tool for obtaining these permissions.
The software also asks for device administrator permission and enables wireless debugging via ADB. With this, it executes shell commands to silently grant all dangerous permissions. Ele disables camera and microphone indicators, prevents antivirus from working properly, and adjusts battery settings to remain active in the background.
Principais capabilities confirmed in the report:
- Captura real-time screen
- Gravação audio and video
- Leitura of notifications and app content
- Vinculação of extra device on WhatsApp with biometrics spoof
- System Privacy Icons Desativação
- Execução of ADB commands for elevation of privileges
- Persistência after cell phone restart
- Suporte to multiple Android models and languages
Durante process, the malware shows fake update and reboot screens. Enquanto the user sees simulated progress, the app performs actions in the background, including opening WhatsApp to add a device controlled by the attacker.
Ligação with Italian legal interception company
The Morpheus infrastructure points to IPS Intelligence, an Italian company with more than 30 years of experience in legal interception technologies for police forces and government agencies. The company operates in more than 20 countries and lists clients such as public security agencies on Itália.
Código of the malware contains expressions in Italian, including cultural references typical of other similar developments in the country. The researchers linked IP addresses and components to domains associated with IPS and related companies such as Rever Servicenet and Iris Telecomunicazioni.
Diferente of more sophisticated spyware that uses zero-click flaws, Morpheus requires user action. Essa feature reduces development cost but maintains effectiveness against specific targets, especially in targeted surveillance contexts.
Medidas protection against this type of threat
Especialistas recommends caution with links received via SMS that ask for app installation. Atualizações official Android and applications must always come from Google Play Store or from the system configuration itself.
Usuários can check accessibility and device administrator permissions in the Android settings. Apps that require wide screen access or running in the background deserve extra attention. Manter the updated system helps limit some privilege elevation techniques.
The case reinforces discussions about the use of surveillance tools by governments and the need for transparency from telephone operators when they interrupt services in a targeted manner.
Detalhes main agent technicians
The Morpheus CoreService manages accessibility actions in sequential workflows. One of them takes care of granting permissions, another opens WhatsApp and simulates biometrics. The SYSTEM_ALERT_WINDOW overlay allows you to draw fake interfaces on top of any app, including temporarily blocking screen touches during the process.
Comandos ADB include pm grant for permissions, DeviceConfig tweaks to hide sensor indicators, and blocking of known antivirus packages. The commands.txt script organizes these steps into distinct phases, adapting to manufacturers such as Samsung, Xiaomi and Oppo.
The analyzed version supports multiple ROMs and models, which indicates an effort to work on a wide variety of Android devices on the market.