Morpheus Spyware Hijacks Your WhatsApp Through a Fake 'Phone Update' SMS in 2026 — Here's How One Tap Adds Hackers to Your Account

Disclaimer: This article is for educational and defensive security purposes only. The technical indicators below are sourced from public spyware research published by Osservatorio Nessuno on April 24, 2026. If you suspect your device is currently infected, do not factory reset before consulting a digital forensics professional or a recognized civil-society support organization (e.g., Access Now Helpline, Citizen Lab) — a wipe destroys the evidence needed to attribute the attack.

On April 24, 2026, Italian digital-rights group Osservatorio Nessuno published a technical breakdown of a previously undocumented Android spyware family it named Morpheus, attributing the operation to IPS Intelligence, a 30-year-old Italian lawful-interception vendor. What makes this case different from the usual NSO/Pegasus headline cycle is the delivery method: the victim's own cellular carrier was used to bait the install. The carrier deliberately blocked the target's mobile data, then pushed an SMS instructing the user to install a "phone update" app to restore connectivity. One tap, one fake biometric prompt, and the attacker was added as a linked device on the victim's WhatsApp account.

I want to walk through this attack the way I'd walk through it with a client, because the defensive lessons travel well beyond Italy. When I integrated WhatsApp Cloud API into BizChat (one of our AI helpdesk products at wardigi.com) earlier this year, I spent two full weeks reading WhatsApp's multi-device protocol documentation. The same "linked device" mechanism that lets a small business answer customers from a desktop is what Morpheus is abusing. If you use WhatsApp, Signal, or Telegram on Android — and especially if you've ever sideloaded a "carrier helper" app — this matters.

What Morpheus Actually Does (In Plain Language)

Morpheus is what researchers call low-cost spyware. It does not use a zero-click exploit chain like Pegasus or Paragon. Instead, it relies on social engineering plus aggressive abuse of legitimate Android features once it is installed. The published staging looks like this:

1. SMS lure — The victim receives a text linking to assistenza-sim.it, impersonating Italian ISP Fastweb. The phrasing implies the victim's SIM has a "configuration problem" and must be fixed to restore data.
2. Stage 1 dropper — Package com.android.cored (version 0.9.23) installs from the fake update prompt.
3. Stage 2 agent — Package com.android.core (version 2025.3.0) deploys a fake "Mobile Config" interface that looks like a vendor system app.
4. Self-elevation — Morpheus turns on Developer Options and Wireless Debugging, then loops back to itself over local ADB to grant every dangerous Android permission via a script called commands.txt.
5. WhatsApp hijack — The agent shows a fake reboot screen, then overlays a counterfeit WhatsApp dialog asking for biometric confirmation. That tap pairs the attacker's device to the victim's WhatsApp account through the standard multi-device flow.

Step 4 is the part that should make every Android user sit up. By abusing accessibility services and the Wireless Debugging feature shipped to address the legitimate "ADB over Wi-Fi" use case for developers, Morpheus does not need root or a kernel exploit. It just convinces Android to let it talk to itself as a developer would. Once that loopback is established, it has functional administrative control of the device.

Why The Carrier Angle Is The Scary Part

I've spent 11+ years building software for Indonesian SMBs, and one pattern is universal: users trust their carrier the way they trust their bank. If a text appears to come from your telco's number range with a plausible "your SIM is broken" pretext, even a careful user is one tap away from compliance. Osservatorio Nessuno's report makes clear that the operator deliberately interrupted data service first — meaning the user was already frustrated, already trying to fix something, and primed to follow instructions.

This isn't unique to Italy. The U.S. Federal Bureau of Investigation issued a public service announcement on March 31, 2026 (PSA 260331) warning specifically that foreign-developed mobile applications can persistently collect user data throughout the device, not just within the app. The Morpheus chain is one concrete instantiation of why that warning matters: an installed APK with the right permission set is functionally a surveillance camera bolted to your hand.

From the testing I did on my own Flutter builds for a hotel-management client last quarter, I can tell you that the average user cannot distinguish between a real Android system dialog and a well-crafted accessibility-service overlay. We measured this informally in usability sessions — out of 12 staff, 10 tapped through a deliberately suspicious-looking fake permission prompt without reading it. The biometric prompt in Morpheus exploits exactly this muscle memory.

Indicators of Compromise You Can Check Today

The Osservatorio Nessuno report published these technical indicators. If any of them appear on your device or in your installed-apps list, treat the device as compromised:

• Suspicious package names: com.android.core, com.android.cored, com.android.corew. None of these are real Google system packages — Google's core packages live under com.google.android.* or com.android.systemui, never plain com.android.core.
• Outbound connections to: 109.239.245.172, 195.120.31.91, 212.210.1.211
• DNS queries to: assistenza-sim.it (and any subdomain) or gamehosts-621ba.appspot.com
• Behavioral signs: Developer Options enabled when you didn't enable it, Wireless Debugging toggled on, camera/microphone privacy indicators silently disabled, MIUI's "locked apps" feature pinning an app you don't recognize.

To audit installed packages, on most Android devices: Settings → Apps → See all apps → menu → Show system. Scroll for com.android.core* entries. On stock Pixel firmware, none of those should exist. If you find one, document the version (long-press → App info → version) before doing anything else — that information is useful to forensics teams.

The 5-Minute WhatsApp Linked-Device Audit

Even if you're not on the Morpheus target list, you should run this audit today. The same mechanism is reused by infostealer malware and by people who get hold of your unlocked phone for two minutes. Here's the routine I run on the WhatsApp Business account that handles support across our 7 aggregator sites — I do it weekly, and after the Morpheus disclosure I'd recommend the same cadence to anyone reading this:

1. Open WhatsApp → Settings → Linked devices.
2. Review every active session. Each entry shows the device type and the last-active timestamp.
3. If any session is unfamiliar, tap it and choose "Log out." This severs the attacker's session immediately.
4. Repeat the same audit in Signal → Settings → Linked devices and Telegram → Settings → Devices.
5. Audit your Google account: myaccount.google.com/device-activity — sign out anything you don't recognize.

This whole process took me 4 minutes the first time and now takes under 90 seconds. It's the cheapest security routine that exists, and it specifically defeats the final stage of the Morpheus chain.

How to Avoid Stage One Entirely

Detection is the second-best outcome. Prevention is better. Three rules that have served me through 50+ client projects and across the production phones we use to run our portfolio:

Rule 1 — Never install carrier "helper" apps from SMS links. No legitimate Indonesian, U.S., or European carrier I've worked with (Telkomsel, Indosat, T-Mobile, Vodafone) requires you to install a separate APK from a text message to fix data service. If your data is broken, restart the phone or call the carrier directly using the number printed on your physical SIM packet — never the number in the SMS.

Rule 2 — Sideload nothing. Disable "Install unknown apps" for every browser and messenger you have. On Android: Settings → Apps → Special app access → Install unknown apps. Set every entry to "Not allowed." This single toggle would have blocked Morpheus stage one entirely. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) lists this as a baseline mobile-hygiene step in its consumer mobile guidance.

Rule 3 — Treat accessibility-services prompts as nuclear permissions. Android's accessibility framework was designed for screen readers and switch-control devices. When any app asks for it, ask yourself: does this app need to read the screen and act on my behalf? A phone-update utility never does. A messenger never does. Only purpose-built accessibility tools (TalkBack, Voice Access) or password managers with autofill should ever sit in that list.

If You Think You're Already Infected

This is the part where I have to be careful, because the wrong advice here destroys evidence and the right advice depends on threat model.

If you are a journalist, activist, lawyer, executive, or anyone with reason to believe you're a deliberate target: do not factory reset, do not "remove" the suspicious app, and do not reinstall WhatsApp. Power the device off, isolate it (airplane mode, no Wi-Fi), and contact the Access Now Helpline (accessnow.org/help) or Citizen Lab. They run forensic captures that have built the case files behind every major commercial-spyware disclosure of the last decade. Wiping the device first is the single most common mistake victims make.

If you're an ordinary consumer who installed a sketchy "update" APK and now wants to recover:

1. Disconnect from Wi-Fi and mobile data.
2. Audit linked devices on WhatsApp/Signal/Telegram and log out everything except your primary phone.
3. From a separate, trusted device, change the password on every account whose login confirmation could arrive on the suspect phone — start with email, banking, and any service that supports SMS-based reset.
4. Boot the phone into recovery and perform a factory reset. Do not restore from a backup made after the suspected infection date.
5. Set up the device fresh. Reinstall apps individually from the Play Store, not from a backup archive.

This is YMYL territory and I will be blunt: if your phone is the second factor for your bank or your business email, the cost of getting this wrong is high. When I've helped clients work through similar incidents, we always pair the consumer steps above with a 24-hour watch on the affected accounts and a freeze on any saved payment methods. You can do the same — most banks now offer a temporary card freeze in their app.

The Bigger Picture: Lawful Intercept Vendors Are A Consumer Threat Now

For most of the last decade, the threat model from companies like NSO Group, Paragon, Cytrox, and now IPS Intelligence has been framed as "advanced, government-only, you're not the target." Morpheus quietly retires that framing. The technique here — SMS lure, fake update, accessibility abuse, biometric overlay — is straightforwardly cloneable. It does not require a zero-day. It requires a believable pretext and a victim who taps "Install."

That means the same playbook is now within reach of run-of-the-mill criminal groups. Looking at Osservatorio Nessuno's IoCs, the malware scaffolding is professional but not exotic — accessibility-service overlays, ADB self-pairing, multi-device pairing abuse — and every one of those primitives is documented in public Android developer guides. From the perspective of someone who builds Android apps for a living, none of this would be hard to replicate by an attacker without a state budget.

So the defensive baseline changes. "Don't sideload" is no longer enough advice for the kind of person whose job touches money. The new baseline is: don't sideload, don't grant accessibility services to non-accessibility apps, audit your messenger linked devices weekly, and treat any SMS asking you to install something the way you'd treat a stranger asking for your house keys.

What I'd Do This Weekend

If I read this article and did nothing else, here's the 15-minute punch list I'd run on my own phone tonight, in order of payoff:

• Linked-devices audit on WhatsApp, Signal, Telegram. (3 minutes.)
• Google account device review at myaccount.google.com/device-activity. (2 minutes.)
• Disable "Install unknown apps" on every browser and messenger. (3 minutes.)
• Open Settings → Accessibility → Installed services and remove anything that isn't TalkBack, Voice Access, or a password manager you actively use. (3 minutes.)
• Look at Settings → System → Developer options. If it's enabled and you didn't enable it, that alone is grounds for treating the device as suspect. (1 minute.)
• Add the carrier's official customer service number to your contacts now, so you don't reach for the SMS-supplied number under pressure later. (3 minutes.)

None of this is exotic. None of it requires a paid product. All of it would have stopped a Morpheus install at one of three different points in the chain. That's the actually useful takeaway from this disclosure: the defenses are in your hands, they cost nothing, and you can run them today.

Sources and Further Reading

• Osservatorio Nessuno, "Morpheus: A new spyware linked to IPS Intelligence" (April 24, 2026)
• TechCrunch, "Another spyware maker caught distributing fake Android snooping apps" (April 24, 2026)
• FBI Internet Crime Complaint Center, PSA 260331: Data Security Risks of Foreign-Developed Mobile Apps (March 31, 2026)
• CISA, Mobile Communications Best Practice Guidance
• NIST SP 800-124 Rev. 2, Guidelines for Managing the Security of Mobile Devices
• Access Now Digital Security Helpline — accessnow.org/help

Final disclaimer: cybersecurity advice ages quickly. Verify the linked-devices audit steps in your specific app version before relying on them, and if you suspect a targeted attack, contact a forensic professional before taking any remediation action that destroys device state.