Researchers have discovered spyware that uses Android’s accessibility features to read the screen, interact with apps, and hijack WhatsApp accounts. The Morpheus virus spreads, among other ways, through mobile carriers using fake SMS messages. Let’s try to understand how it works and how to avoid falling victim.

The new virus can steal your messenger account

New Morpheus Virus on Android

Morpheus is an Android spyware app discovered by the Italian human rights organization Osservatorio Nessuno. According to researchers, it was created by the Italian company IPS. The company has been operating for over 30 years and provides tools for so-called “lawful interception,” meaning surveillance authorized by government agencies.

Morpheus doesn't hack your phone — it asks the user to open the door themselves.

Morpheus is classified as “cheap” spyware. No complex vulnerabilities are needed for infection: the program is designed so that the victim installs it on the phone themselves. After installation, the Morpheus app uses Android’s accessibility features — Accessibility Services. This is a set of functions originally designed for people with disabilities, but the spyware gains through them the ability to read screen content and interact with any apps.

Morpheus is infiltrating an increasing number of smartphones

In one of the documented cases, the infection looked like this: the mobile carrier intentionally disabled mobile internet for a specific user, after which the victim received an SMS asking them to install an app supposedly to “update the phone.” In reality, that app was Morpheus.

How WhatsApp Accounts Get Hacked

One of Morpheus’s main tricks is aimed specifically at hacking WhatsApp accounts. The program spoofs the messenger’s interface, displaying a fake screen that looks like the real messenger. After that, the user is asked to pass a biometric check: place a finger or show their face, supposedly to verify their identity.

No encryption hacking — just one fake screen and one fingerprint press.

In reality, this check gives the spyware access to the WhatsApp account. The user thinks they are confirming login to their messenger, but in fact they are opening the door for the spy to access their messages. WhatsApp surveillance in this form requires no encryption hacking — it’s enough to deceive the user just once.

Accounts are hijacked by spyware that users install themselves

It’s also worth noting: messenger hacks on Android happen not only with WhatsApp. Various messengers regularly become targets for scammers. The schemes vary, but the principle is the same: social engineering works better than any technical hack.

Who Is Threatened by the New Android Virus

An important detail: Morpheus is not a typical Android virus from the darknet. IPS positions its tools as resources for government agencies and intelligence services. The main target audience is not mass users, but specific individuals who are subjects of targeted surveillance.

Morpheus is an intelligence agency tool.

Nevertheless, the infection mechanism itself is easily scalable. The scenario “you need to update your phone” is familiar to any smartphone owner, and a fake SMS from a carrier is a standard scammer tool. This is far from the first case where government surveillance tools have become more widely available than intended: the developer of the Pegasus spyware was found responsible for attacks on WhatsApp users, and hacking tools from American intelligence agencies once leaked onto the black market.

Those under intelligence agency surveillance are at risk

Android malware in 2026 is becoming increasingly sophisticated — not technically, but psychologically. A dangerous Android virus no longer needs to exploit code vulnerabilities. A convincing story and a fake screen are enough.

How to Protect Android from Viruses

Morpheus exploits not a code vulnerability, but user gullibility. Therefore, Android virus protection against this type of threat is primarily about awareness. Here are some specific rules:

  • Never install apps via links from SMS — not from your carrier, not from acquaintances, not from anyone. Real Android updates come through “Settings — System Update,” not through third-party apps.
  • Check which apps have been granted Accessibility Services permissions. Go to “Settings — Accessibility” and see what’s active there. If you see an unfamiliar app — disable it immediately.

    • Be sure to check which apps have access to accessibility features

  • Don’t confirm a biometric check if the screen appeared unexpectedly or outside the usual context. If WhatsApp suddenly asks for verification even though you were just using it — that’s a reason to be suspicious.
  • Install apps only from Google Play or official sources (no APKs from message links).

Phone viruses of this type leave no obvious traces: the spyware works silently, reads messages, and collects data without any visible symptoms. Periodically checking the accessibility section takes two minutes and can save you from serious problems.

How Dangerous Is the Morpheus Virus

The new Android virus Morpheus is a clear example of how spyware gets by without technical vulnerabilities. Instead of hacking — social engineering: a fake SMS, a phony update screen, WhatsApp interface spoofing. For now, these are targeted attacks linked to government agencies, but the mechanism itself is simple and easily copied.

WhatsApp hacking through Morpheus works because the user does everything themselves — clicks the link, installs the app, places their finger on the scanner. For the average Android user, the main takeaway is simple: don’t install apps from SMS links, check accessibility permissions, and don’t confirm biometric prompts that appear out of nowhere.