Inside Italy’s low-cost spyware economy

Crowded market, cheap expertise

While company names like NSO Group or Paragon Solutions have become widely known following extensive media coverage and political scandals, a parallel spyware market has been developing almost unnoticed in their shadow. Italy is home to dozens of small surveillance companies developing so-called “trojans” for interception. An IrpiMedia investigation found that prosecutors in Italy pay as little as a few dozen euros per day of interception, creating a competitive market where zero-day exploit chains (attacks using unknown security flaws in the phone’s software) are not necessary. Instead of relying on the use of such exploits, which are technically difficult to obtain, and very expensive, these vendors have developed much cheaper techniques. Their spyware tools only require a few clever tricks and some social engineering to infect the target’s phone.

Here’s a real-life example of how this deception works: the chosen target is suddenly left with no mobile reception, and immediately receives an SMS pretending to be from their mobile carrier, asking to install an “update” to restore service. The link leads to a phishing page mimicking the telecom provider, which leads them to download a malicious Android application (APK), a well-curated fake version of their provider’s real app. Once the app has been downloaded, it will try to gather all the information from the target.

For this scheme to work, the active cooperation of the internet service provider is needed: it is them who, upon request of law enforcement or judicial authorities, will throttle the target’s internet connection to make the pretext credible. Capabilities of these apps include the abuse of Android Accessibility services, silent linking of WhatsApp sessions, disabling of on-device antivirus and disabling the indicators that Android displays when an app accesses the microphone or the camera.

The tactics of low-cost spyware

EDRi member Osservatorio Nessuno has investigated the modus operandi of some of these smaller companies. For example, Morpheus, a previously undocumented Android spyware that is linked to IPS Intelligence, tricks targets into giving up their WhatsApp account by displaying a fake biometric prompt that overlays the original WhatsApp prompt that is required to link a new device, therefore getting complete access to it.

Spyrtacus, actively developed and distributed by SIO S.p.A, has similar capabilities. By abusing accessibility services it is able to take screenshots, record voice calls, export WhatsApp messages and much more. Spyrtacus has been in use for years now, with frequent releases and updates.

To sustain the operation, vendors or their buyers also routinely rely on shell and fake companies, sometimes to get their malicious apps included in the Google Play Store so that they look legit. Other fake companies Osservatorio Nessuno found serve purposes that remain unclear.

Italy’s infection addiction

This industry of low-cost spyware is fed by extraordinarily high demand. According to the Italian Ministry of Justice’s own statistics, Italian prosecutors authorised around 5,200 trojan-based interceptions in 2024 alone, a volume that is significantly higher compared to other member states (though they often do not publish statistics), and that has normalised device compromise as a routine investigative technique.

Moreover, any monitoring routinely fails to provide solid explanations. Italy’s intelligence oversight committee (COPASIR) produced a report on the Paragon/Graphite case that raised more questions than it answered, while the fate of the cases of several Italian journalists and activists who were alerted by WhatsApp of being targeted with Graphite has still not been publicly clarified by the government. More broadly, Italy is a country where illegal espionage and dossier-making scandals surface on a near-yearly basis. Each time an infection is detected, it is impossible for the target, their lawyer, or independent researchers to determine which company built the tool, which authority deployed it, under what warrant, or whether any authorisation existed at all.

More data, more data, more data…

This parallel market of cheap, deceptive “trojans” has blossomed to respond to a demand: to nourish a data-hungry system where prosecutors and law enforcement want to be able to carry out thousands of infections at the lowest possible price. This is both cause and consequence of a judicial and law enforcement logic where the unlimited access to people’s devices and data is framed as crucial to do their job, and therefore it is normalised and even encouraged.

But whether it is through zero-click vulnerabilities, via social engineering (as in the cases analysed by Osservatorio Nessuno) or via direct installation in the device (which happens massively in the stalkerware industry, a sector that fuels a great amount of digitally-powered gender based violence), its effects on the targets remain the same. Spyware violates the integrity and confidentiality of personal devices, and turns them into a surveillance tool to access people’s private life: messages, photos, microphones, cameras, contacts, browsing history, location data and intimate communications can all be silently extracted. This is why spyware is fundamentally incompatible with the principles of necessity, proportionality and effective oversight required under EU fundamental rights law. In this sense, no meaningful distinction exists between ‘more sophisticated’ spyware, like Pegasus or Graphite, and cheaper products like Spyrtacus or Morpheus.

A very European problem

There is someone to blame. The spyware market – spanning both ‘more sophisticated’ and ‘low-cost’ spyware – has been driven by the European Commission’s inaction against spyware, even though they have competences on trade matters and on monitoring the application of existing EU laws. Companies such as Paragon Solutions, SIO and IPS Intelligence have been able to operate in Italy because the development and trade of these tools remains broadly unregulated, while the application of the EU’s fundamental rights framework against spyware abuses has been largely non-existent. Furthermore, internal market rules allow spyware vendors to operate freely across member states, fueling competition, and to export with no ties, turning the EU into a worldwide hub for tools related to innumerable human-rights abuses.

The Italian case also shows that Europe’s spyware problem is not just imported. While public debate – rightfully so – often focuses on Israeli firms such as NSO Group or Paragon Solutions, it is important to note that dozens of European companies are also developing and distributing spyware domestically. As long as spyware remains legal to develop, sell, and deploy within the EU the proliferation won’t stop.

Ultimately, the spread of low-cost tools demonstrates that Europe has a huge problem in the normalisation of spyware as a routine investigation tool. A democratic society cannot meaningfully protect freedom of expression, the free press, political rights or enhance its civic space while allowing spyware vendors to operate with no boundaries.

Osservatorio Nessuno, together with EDRi and a growing coalition of civil society and journalist organisations, continues to call for a full EU-wide ban on commercial spyware, combined with binding transparency obligations on Member States about past and present deployments, and effective remedies for the people who have been targeted.

Spyware, whether it costs millions or tens of euros per day, should simply not exist.

Contribution by: Aljosa Ajanovic Andelic (he/him), EDRi Policy Advisor and EDRi member Osservatorio Nessuno