Italian Spyware Abuses Android Accessibility Framework to Intercept WhatsApp

IPS, an Italian surveillance contractor, deployed Morpheus spyware masquerading as system updates to compromise Android devices. Once installed, the malware exploits accessibility services—APIs designed to assist disabled users—to read screens and control other applications without consent. The primary target: WhatsApp account access. The technique reflects a broader shift among state actors toward endpoint compromise, sidestepping end-to-end encryption by capturing communications before encryption or after decryption on compromised devices.