WhatsApp warns nearly 200 users tricked into downloading spyware

WhatsApp has notified nearly 200 users, most of them in Italy, that they were targeted in a phishing attack that tricked them into downloading a fake version of the app containing spyware, rather than exploiting a vulnerability in WhatsApp itself.

The company said it logged the affected users out of their accounts, warned them about privacy and security risks, and urged them to delete the unofficial app and rely only on the original version. 

Available information indicates the operation is linked to the Italian company SIO through its subsidiary ASIGINT, which reports say sells surveillance technology to government agencies.

In February 2025, SIO was linked to an earlier Android campaign that used Spyrtacus malware inside fake apps resembling WhatsApp and other popular services.

The malware can steal messages and conversations from apps such as WhatsApp, Signal, and Facebook Messenger, pull contact data, record calls and ambient audio, and capture images through the phone’s camera.

The case carries added significance because it comes a year after another spyware scandal rocked Italy. In early February 2025, seven Italian users were targeted with Graphite spyware made by Israeli spyware firm Paragon Solutions.

WhatsApp had previously said that about 90 users in more than 20 countries were targeted, including journalists and activists. Italian authorities then confirmed in March that the phone of journalist Francesco Cancellato had in fact been hacked in that case, deepening suspicions about the use of commercial spyware against journalists and civil society actors in Europe.