Meta* warned about 200 iPhone and Android owners that they had installed a fake version of WhatsApp loaded with spyware. According to WhatsApp, the attack was carried out by an Italian spyware development company. The incident is not related to a vulnerability in the messenger itself, but clearly demonstrates the risks of installing apps outside of official stores.
The hacked WhatsApp was even installed on iPhones. Image: 9to5mac.com
What Happened with WhatsApp and Who Was Affected
Meta* sent warnings to approximately 200 iPhone and Android users, mostly from Italy, who fell victim to a social engineering attack — they were tricked into installing a fake version of WhatsApp.
This is the warning messenger users received. Image: techcrunch.com
In a statement to Italian news agency ANSA, WhatsApp said: the security team identified about 200 users, mostly in Italy, who had likely downloaded this unofficial and malicious client. Users were forcibly logged out and warned about risks to their security and privacy.
WhatsApp emphasized that this was not a vulnerability in the messenger itself, but the use of an unofficial client. In other words, WhatsApp itself was not hacked — users were tricked into downloading and installing a completely different app that only looked like the original.
Spyrtacus — What Is This Virus and How Does It Get on iPhones
WhatsApp pointed to Italian company Asigint, controlled by SIO SpA, as the organizer of the attack. The firm is based in the city of Cantù, in Lombardy in northern Italy, and its clients include law enforcement agencies, government entities, and intelligence services.
The malware in the fake app is known as Spyrtacus — the name was discovered in the program’s own code. Researchers found 13 samples of Spyrtacus, the earliest dating back to 2019 and the most recent from late 2024.
Previously, the malware was disguised as Android apps from Italian mobile operators TIM, Vodafone, and WINDTRE, as well as earlier versions of WhatsApp. The current campaign targeting iPhones represents an expansion of tactics to the Apple ecosystem.
What Data Does the Fake WhatsApp Steal from Your Phone
According to researchers from Lookout and other security experts, Spyrtacus can steal text messages, conversations from Facebook* Messenger, Signal, and WhatsApp, extract contacts, record phone calls and ambient sound through the device’s microphone, and take photos and videos through the cameras.
Simply put, once the app is installed, attackers gain virtually full access to the smartphone’s contents: conversations, calls, camera, and microphone — all of which can operate in surveillance mode without the owner’s knowledge.
Spyware gains access to the camera, microphone, and conversations
There are no details yet about the identities of the victims or exactly what data may have been stolen. WhatsApp spokesperson Margherita Franklin said the company cannot yet disclose whether journalists or civil society representatives were among those affected.
Can You Install an App on iPhone Bypassing the App Store
The exact method used to make victims install the fake app is unknown. According to Italian newspaper La Repubblica, the app was distributed not through official channels — not through Google Play or the App Store — but through third-party sources.
On iPhone, installing an app bypassing the App Store is possible in several ways: through enterprise certificates (when an app is disguised as internal corporate software) or through third-party app stores that appeared in Europe after the Digital Markets Act (DMA) came into force. La Repubblica does not specify which method was used.
In Italy, authorities often involve mobile operators who send phishing links to their subscribers on behalf of law enforcement agencies. The victim receives what looks like a regular update notification from their carrier, with an offer to install an “updated” version of WhatsApp.
How to Check if WhatsApp on iPhone Is Real or Fake
The main takeaway for iPhone owners: the threat in this story is not a system vulnerability but the human factor. The attack worked not because a hole was found in iOS, but because people were tricked into installing a malicious app themselves.
Install apps only through the App Store and there won’t be a problem
What to do to avoid ending up in a similar situation:
- Download WhatsApp only from the App Store. Any offers to “update” the messenger via a link from an SMS or a website should raise a red flag.
- Do not install apps from third-party sources, even if the link came from your mobile carrier or looks official.
- If you were forcibly logged out of WhatsApp — check which version of the app you are using. Delete the suspicious one and install the original from the App Store.
- Keep iOS updated — Apple regularly patches vulnerabilities that can be used to install malware.
For those who received suspicious messages and followed links to install apps bypassing the App Store, experts recommend immediately deleting the app and restoring the device from a clean backup.
Spyware Apps on iPhone — Is This a Threat to Users in Russia
This is the second time in 15 months that Meta* has publicly cracked down on spyware activity linked to Italy. A year ago, WhatsApp notified about 90 users — journalists and immigration activists — that they were being surveilled using spyware from Paragon Solutions. That scandal led to Paragon’s split with Italian intelligence services.
Italy holds an unusual position among Western countries: several spyware developers operate there, and lenient regulation makes such tools accessible to a wide range of law enforcement agencies — down to municipal police.
For Russian iPhone users, there is no direct threat from this particular campaign — it was targeted and aimed at Italy. But the technique itself — a fake app distributed through phishing — is universal and used worldwide. The rule is simple: if an app is offered for installation outside of the App Store, that’s a reason to refuse, even if everything looks convincing.
*Recognized as extremist and banned in Russia
