WhatsApp Spyrtacus Alert: How Government-Grade Spyware Is Targeting Mobile Apps Saudi Banks Use Every Day

WhatsApp has notified approximately 200 users that their devices were compromised after they were tricked into installing a counterfeit iOS version of the app — one secretly built by Asigint, an Italian subsidiary of commercial spyware vendor SIO. The embedded malware, known as Spyrtacus, granted attackers full surveillance access to victims' devices: messages, call logs, contact lists, and real-time audio and video recordings. For Saudi financial institutions where WhatsApp functions as a de facto business communication channel, this is not an Italian problem — it is a direct operational and regulatory risk.

What Spyrtacus Does and Why It Is Different

Unlike opportunistic commodity malware, Spyrtacus is a purpose-built commercial surveillance tool developed by a firm with government clients. Threat actors socially engineered targets into sideloading a fully functional WhatsApp clone that looked and behaved identically to the legitimate app. Once installed, Spyrtacus silently exfiltrated SMS messages, encrypted chat histories, call records, and credentials stored on the device, while also activating the microphone and camera without any visible indicator. The malware did not exploit a vulnerability in WhatsApp itself — official end-to-end encrypted communications through the legitimate app remained intact. The attack vector was entirely social engineering combined with the trust users place in familiar app interfaces. Meta has logged all confirmed victims out of their accounts and has filed legal action against SIO and Asigint.

Why Saudi Financial Institutions Face Elevated Exposure

Saudi Arabia has one of the highest WhatsApp penetration rates in the world, and the application is embedded into daily business operations across banking, insurance, and capital markets. Relationship managers communicate client instructions via WhatsApp. Treasury desks coordinate time-sensitive transactions. Compliance officers receive alerts on personal devices. This normalisation of WhatsApp as a business tool creates a wide and largely unmonitored attack surface. Government-grade spyware vendors — operating under legal cover in their home jurisdictions — have a documented history of targeting financial executives, regulators, and government officials in the Gulf region. The commercial spyware ecosystem that produced Spyrtacus is the same ecosystem that produced Pegasus, which was used to compromise devices in Saudi Arabia as recently as 2023.

Regulatory Implications Under SAMA CSCC, NCA ECC, and PDPL

SAMA's Cyber Security Framework (CSCC) Domain 4 — Cybersecurity Operations — requires member organisations to maintain visibility over endpoints used to access or process financial data, including personal mobile devices used by staff for business communication. An unmanaged personal iPhone running a spyware-infected messaging app falls squarely outside acceptable control boundaries under a mature CSCC implementation. NCA's Essential Cybersecurity Controls (ECC-1) further require organisations to implement policies governing the use of personally-owned devices (BYOD) and to ensure that sensitive business data is not processed on endpoints lacking baseline security controls. From a PDPL perspective, if customer data — names, account references, transaction confirmations — passed through a WhatsApp conversation on a compromised device, the organisation may be obligated to assess and report a personal data breach to SDAIA. The Spyrtacus campaign is precisely the kind of incident that stress-tests whether a PDPL breach response programme exists on paper or in practice.

Practical Recommendations for Saudi CISOs and Compliance Officers

1. Audit mobile device policy immediately. Identify which staff roles routinely handle customer data or material non-public information over WhatsApp. Enforce a clear BYOD policy with minimum security baselines: up-to-date iOS, no sideloaded apps, biometric lock, and enrollment in an approved Mobile Device Management (MDM) solution such as Microsoft Intune or Jamf.
2. Deploy Mobile Threat Defense (MTD). Solutions such as Lookout, Zimperium (zIPS), or CrowdStrike Falcon for Mobile can detect anomalous device behaviour consistent with spyware — unexpected background data transmission, microphone activation, and configuration profile changes — on both iOS and Android endpoints.
3. Restrict sensitive business communication to approved channels. For regulated communication — client instructions, transaction approvals, compliance escalations — enforce the use of enterprise-grade messaging platforms with audit logging (Microsoft Teams, Wickr Enterprise, or your institution's validated solution). WhatsApp, regardless of its encryption strength, provides no audit trail compatible with regulatory retention requirements.
4. Conduct a PDPL breach assessment. If any staff member who handles personal data of customers uses WhatsApp on an unmanaged device, work with your Data Protection Officer to determine whether a PDPL Article 25 risk assessment is warranted and whether SDAIA notification obligations are triggered.
5. Include commercial spyware in threat intelligence feeds. Indicators of Compromise (IoCs) associated with Spyrtacus, SIO, and the broader commercial spyware ecosystem are available through Amnesty International's Security Lab, Citizen Lab, and threat intelligence platforms such as Recorded Future. Ensure your SOC team is enriching detections with this category of threat actor.
6. Train executives and relationship managers on social engineering targeting mobile apps. The Spyrtacus delivery mechanism relied entirely on persuading the target to install a non-App Store application. A single targeted awareness session for high-risk staff can close this vector at near-zero cost.

Conclusion

The Spyrtacus campaign illustrates a maturing commercial spyware industry that is increasingly indistinguishable from state-sponsored operations in its technical sophistication — and increasingly willing to target business and financial networks, not only political dissidents. For Saudi financial institutions, the lesson is not to abandon WhatsApp tomorrow. It is to acknowledge that unmanaged mobile endpoints carrying business conversations represent a real, measurable, and regulatorily relevant risk, and to close that gap before the next alert lands closer to home.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and mobile security gap analysis aligned to CSCC Domain 4 and NCA ECC controls.