Spyrtacus WhatsApp Clone: Italian Spyware Vendor Weaponized a Fake App to Surveil 200 Targets

Meta has confirmed that roughly 200 individuals—most of them in Italy—were tricked into installing a counterfeit WhatsApp iOS application laced with commercial spyware known as Spyrtacus. The fake client, built by Asigint, a subsidiary of Italian surveillance firm SIO Spa, perfectly replicated the look and feel of the legitimate messenger before silently siphoning messages, call logs, GPS coordinates, and device credentials back to operator-controlled infrastructure.

How the Spyrtacus Campaign Worked

Unlike commodity malware distributed through mass phishing, Spyrtacus followed a targeted delivery model. Operators selected specific individuals—reportedly journalists, activists, and professionals—then used social-engineering pretexts to convince each target to sideload a modified WhatsApp IPA outside the Apple App Store. Once installed, the clone functioned identically to the real app: contacts synced, messages rendered, and notifications fired normally. Beneath the surface, however, Spyrtacus hooked into iOS accessibility and background-refresh APIs to exfiltrate encrypted chat content, record ambient audio, capture screenshots, and harvest stored credentials. The binary communicated with command-and-control nodes over TLS-pinned channels, making network-level detection difficult without endpoint telemetry.

Asigint and the Commercial Surveillance Market

Asigint operates under SIO Spa, a Cantù-based firm that has sold interception and lawful-surveillance technology to government agencies across Europe for over a decade. The Spyrtacus toolset has previously appeared in Android variants distributed through fake carrier update pages. What makes this campaign notable is the iOS pivot: Apple's tighter app-distribution controls are often assumed to block sideloaded threats, yet targeted social engineering bypasses those controls entirely when an operator can convince a victim to trust a provisioning profile or an enterprise-signed certificate. Meta's investigation revealed that Asigint's infrastructure reused TLS certificates across campaigns, which allowed researchers to cluster historical Spyrtacus deployments and map the full scope of the operation.

Why This Matters for Saudi Financial Institutions

Saudi banks, fintechs, and insurance companies operate under SAMA's Cyber Security Common Controls (CSCC), which mandate strict endpoint protection and data-leakage prevention across all devices that access core banking systems—including personal smartphones used under Bring-Your-Own-Device policies. A Spyrtacus-style implant on a CISO's or compliance officer's phone could expose board-level communications, unreleased regulatory filings, merger discussions, or customer PII protected under the Personal Data Protection Law (PDPL). The NCA's Essential Cybersecurity Controls (ECC) further require organizations to maintain an inventory of authorized applications and enforce mobile-device management (MDM) policies that prevent sideloading. Any institution that permits unmanaged devices to access email, Microsoft Teams, or internal portals without MDM enrollment is vulnerable to exactly this class of attack.

Detection Indicators and Forensic Artifacts

Security teams should hunt for the following indicators across their mobile fleet. First, check for non-App-Store WhatsApp installations by querying MDM for bundle identifiers that deviate from net.whatsapp.WhatsApp. Second, review provisioning profiles on enrolled iOS devices—any enterprise or ad-hoc profile signed by an unrecognized certificate authority warrants immediate investigation. Third, monitor DNS and proxy logs for connections to domains associated with known Spyrtacus C2 infrastructure; Citizen Lab and Meta's threat-intelligence team have published IOC feeds covering these domains. Fourth, look for anomalous background-data consumption from messaging apps, which may indicate ambient recording or bulk exfiltration. On Android devices, inspect APK signatures and verify that WhatsApp's signing certificate matches Meta's official key fingerprint.

Recommendations for CISOs and Security Teams

1. Enforce MDM-only access: Require all devices that touch corporate resources—email, VPN, cloud storage—to be enrolled in an MDM solution such as Microsoft Intune, VMware Workspace ONE, or Jamf Pro. Block access from unmanaged devices at the conditional-access layer.
2. Prohibit sideloading: Configure MDM policies to prevent installation of apps from outside the App Store and Google Play. On iOS, restrict the ability to trust enterprise provisioning profiles. On Android, disable "Install from unknown sources" at the device-management level.
3. Deploy Mobile Threat Defense (MTD): Layer an MTD agent—Lookout, Zimperium, or CrowdStrike Falcon for Mobile—on top of MDM to detect rogue apps, network anomalies, and OS-level exploits in real time.
4. Conduct targeted awareness training: Brief executives, board members, and compliance staff specifically on social-engineering tactics used in commercial-spyware campaigns. Emphasize that legitimate app updates never arrive via direct message or email link.
5. Audit BYOD policies against SAMA CSCC Domain 8: Verify that your mobile-security controls satisfy SAMA's requirements for endpoint protection, application whitelisting, and data-loss prevention on personal devices.
6. Integrate mobile IOCs into your SOC workflow: Subscribe to Citizen Lab's and Meta's commercial-surveillance IOC feeds and ingest them into your SIEM/SOAR platform for automated alerting on known Spyrtacus infrastructure.

Conclusion

The Spyrtacus campaign is a textbook example of how commercial surveillance vendors weaponize trust in familiar applications. The attack required no zero-day exploit and no jailbreak—just a convincing pretext and a willing finger to tap "Install." For Saudi financial institutions handling customer data governed by PDPL and operating under SAMA and NCA oversight, the lesson is clear: mobile endpoints deserve the same rigor as servers and workstations. Without MDM enforcement, sideload restrictions, and mobile threat defense, a single compromised executive phone can undo years of perimeter hardening.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that includes a full review of your mobile-security posture and BYOD risk exposure.