A newly uncovered spyware campaign is targeting Android users with a convincing trick: a fake “Android update” app that doesn’t just spy on the phone, but can also hijack WhatsApp access. What makes this operation especially alarming is that the infection chain depends on the victim’s mobile network provider actively cutting off mobile data first, creating the perfect pressure point to make the scam feel believable and urgent.
Security researchers have dubbed the spyware Morpheus. Unlike high-end surveillance tools that can compromise a device without a tap, Morpheus is considered a lower-cost spyware platform because it relies on social engineering. In other words, it doesn’t magically break in; it convinces people to open the door themselves.
How the Morpheus spyware infection works on Android
The setup begins with a sudden, unexplained loss of mobile data. According to investigators, this isn’t a random outage. The victim’s data connection is deliberately blocked by the telecom provider in coordination with the authorities running the spyware operation.
Once the target is effectively “offline,” an SMS arrives with instructions to fix the issue. The message urges the user to install an app to restore connectivity and “update” the device. That app is not a real Android system update tool—it’s the Morpheus spyware installer, delivered as an APK that must be installed manually from outside official app stores.
After the app is installed, Morpheus requests Android accessibility permissions. These are extremely powerful controls designed to help users who need assisted access, but in the wrong hands they can be abused to read screen content, observe what you’re doing, and interact with other apps.
To keep the victim calm and reinforce the illusion that everything is legitimate, the malware shows a fake system update screen and then prompts the user to reboot. After the phone restarts, the attack shifts to WhatsApp.
Morpheus then spoofs the WhatsApp interface and asks for biometric verification, claiming a routine account check is required. That single biometric approval doesn’t “verify” WhatsApp in the way the victim thinks. Instead, it authorizes the spyware to link an additional device to the user’s WhatsApp account—effectively granting the attackers access to messages and contacts.
Investigators also noted Italian-language code fragments and cultural references inside the malware, which align with patterns seen in other spyware campaigns tied to Italy.
Who is believed to be behind Morpheus
The researchers attribute Morpheus to IPS, an Italian company known for providing lawful interception and surveillance capabilities for law enforcement and intelligence clients. IPS reportedly has decades of experience in the sector, operates in multiple countries, and lists several Italian police forces among its customers.
Researchers believe the spyware was used against political activists, although no specific victims were publicly identified. The findings add to broader scrutiny surrounding commercial surveillance vendors, especially as more spyware cases surface across Europe. Investigators also referenced a separate recent WhatsApp-related spyware incident in which users were warned about installing a fake version of the app.
What Android users can do to stay protected
This spyware does not spread through the Google Play Store and it cannot silently install itself. The entire attack hinges on getting the target to manually install an APK and grant dangerous permissions.
To reduce your risk:
Be suspicious of any unexpected SMS claiming you must install an “Android update” app, especially if it arrives right after your mobile data suddenly stops working.
Never install APK files sent via text message or downloaded from unknown sources, even if the message claims it’s from your carrier.
Treat accessibility permission requests as a major red flag. Only grant accessibility access to trusted apps you intentionally installed from official sources.
If your mobile data suddenly dies and a message tells you to install something to restore service, contact your carrier through official support channels instead of following instructions in the text.
The larger takeaway is simple: real Android system updates don’t arrive as random APK links over SMS, and your carrier should never require you to install an app from a text message to restore basic connectivity.
