WhatsApp blocked a fake app by Italian firm SIO/Asigint that targeted 200 users with spyware, urging them to reinstall the official app.

WhatsApp has recently uncovered a malicious fake version of its app that targeted roughly 200 users, most of whom are in Italy. The platform confirmed that the unofficial client contained spyware and was developed by Italian firm Asigint, a subsidiary of SIO Spa, a company known for providing surveillance tools to law enforcement and government agencies.

“Our security team identified around 200 users, mostly in Italy, who we believe may have downloaded this unofficial and harmful client. We logged them out and alerted them to the privacy and security risks,” WhatsApp stated. “We believe this was a social engineering attempt targeting a limited number of users with the goal of inducing them to install harmful software impersonating WhatsApp, likely to gain access to their devices. Today, WhatsApp has taken action against Asigint, an Italian spyware company controlled by Sio Spa that created a fake version of WhatsApp. We believe the individuals behind this malicious client used social engineering techniques to trick people into downloading an unofficial and harmful app disguised as WhatsApp,” the Meta Group company said in a statement, adding that it intends to “send a formal legal notice to this spyware company to cease all harmful activity.”

The affected users were promptly logged out and notified of the potential risks to their privacy and security. WhatsApp advised them to remove the fake app and reinstall the official version, emphasizing that the incident did not involve a vulnerability in WhatsApp itself; the end-to-end encryption of legitimate apps remains intact.

According to WhatsApp, the attackers relied on social engineering techniques, tricking users into installing the counterfeit app, which was not available on official digital stores like the Apple App Store or Google Play. The approach suggests a highly targeted campaign, likely part of a broader investigation, rather than a mass-distribution attack.

“It is important to clarify that this was not a vulnerability in WhatsApp; end-to-end encryption continues to protect the communications of people using the official WhatsApp apps,” the Meta Group platform stated, as reported by the Italian press agency ANSA. “We believe the individuals behind this malicious client used social engineering techniques to convince people to download an unofficial and harmful app, passing it off as WhatsApp, likely to gain access to their devices. We intend to send a formal legal notice to this spyware company to cease any harmful activity.”

SIO, through Asigint, has a long history in the development of government-grade spyware. In a 2025 TechCrunch report, SIO was linked to Spyrtacus, a series of malicious Android apps that disguised themselves as WhatsApp and other popular applications. Spyrtacus allowed attackers to extract sensitive data from devices, including messages, contact lists, and call logs, as well as monitor users through microphones and cameras.

A WhatsApp spokesperson explained that the company plans to issue a formal legal demand to Asigint, requesting that the company cease all malicious activities. The platform stressed that holding spyware developers accountable under law is a crucial part of protecting users from targeted attacks. WhatsApp has previously achieved a precedent-setting outcome by holding a commercial spyware firm responsible under U.S. law for attempting to spy on users’ mobile devices.

The incident highlights a broader trend in digital surveillance: using fake apps as a tool for spying. Cybersecurity experts note that such tactics are common in operations targeting individuals for intelligence or law enforcement purposes.

“The fake WhatsApp campaign demonstrates the sophistication of modern social engineering techniques, where attackers exploit users’ trust in popular software to gain access to sensitive devices,” I told ANSA.

SIO describes itself as a team of software developers and architects leveraging advanced technologies to redefine human-computer interaction. According to its website, the company collaborates closely with law enforcement, government organizations, and intelligence agencies, boasting more than 30 years of experience in the sector. The fake WhatsApp case underlines how firms that operate in the intelligence space can inadvertently, or deliberately, target private users in ways that raise ethical and legal questions.

While the full scope of the attack remains unclear, the proactive response by WhatsApp underscores the importance of vigilance. Users are strongly encouraged to only download official applications and remain alert to suspicious links or prompts, especially when dealing with messaging or banking apps.

This case also demonstrates the evolving challenges of digital security in Italy and globally, where spyware developers increasingly use counterfeit applications to bypass traditional defenses and exploit user trust. Even though most affected individuals were Italian, the lessons extend to anyone using widely trusted apps. Awareness and timely updates are essential defenses against such targeted threats.

In conclusion, the WhatsApp-Asigint incident is a reminder of the ongoing arms race between privacy-focused platforms and surveillance-focused actors. While end-to-end encryption protects users of legitimate apps, attackers will continue to explore indirect methods, such as fake apps, to circumvent safeguards. Vigilance, legal accountability, and prompt user education remain the most effective tools for mitigating these sophisticated threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp)

Google’s GTIG reports 90 zero-day vulnerabilities exploited in the wild in 2025, up from 78 in 2024, with a growing share targeting enterprise systems.

Google’s Threat Intelligence Group (GTIG) identified 90 zero-day vulnerabilities exploited in the wild in 2025. While slightly below the 100 observed in 2023, the number increased from 78 in 2024, with researchers noting a rising trend of attacks specifically targeting enterprise technologies and corporate infrastructure.

Nearly half of the flaws (43, or 48%) targeted enterprise technologies, marking a record share and confirming a shift toward enterprise-focused attacks. Browser exploitation declined to historic lows, while operating system flaws were increasingly abused. Nation-state actors mainly targeted edge devices and security appliances, while commercial surveillance vendors continued focusing on mobile and browser exploit chains.

“As vendor mitigations evolve and increasingly prevent more simplistic exploitation, threat actors have been forced to expand or adjust their techniques. In some cases, attackers have increased the number of chained vulnerabilities to reach desired levels of access within highly protected components.” reads the report published by Google. “Conversely, threat actors have also managed successful exploitation with fewer or singular bugs by targeting lower levels of access within a single capability, such as an application or service.”

Edge devices such as routers and security appliances remain prime targets because they typically lack EDR visibility, making intrusions harder to detect. Another 47 zero-days (52%) targeted end-user platforms. Operating systems were the most exploited category with 39 flaws, continuing an upward trend, while mobile OS exploits rose to 15 cases. Browsers accounted for less than 10% of zero-day activity, suggesting improved security hardening, though better attacker operational security may also be reducing visible exploitation.

In 2025, most exploited zero-days targeted major tech vendors due to their massive user bases across operating systems, browsers, and mobile platforms. Security and networking companies such as Cisco, Fortinet, Ivanti, and VMware were also frequent targets because of the strategic value of VPNs, virtualization, and edge infrastructure. Many attacks aimed at remote code execution or privilege escalation, often exploiting injection flaws, memory corruption, or weak access controls.

Commercial surveillance vendors (CSVs) were the most active users of zero-day exploits in 2025, surpassing traditional state-sponsored espionage groups for the first time. Firms such as Intellexa continued selling advanced spyware to government clients. However, China-linked cyber-espionage groups remained the most prolific among nation-state actors, often targeting edge and networking devices to maintain long-term access. Financially motivated groups also increased zero-day use, including ransomware operations linked to FIN11 and the Clop ransomware group. Researchers also observed sophisticated exploit chains affecting browsers, mobile devices, and enterprise appliances, including attacks on SonicWall systems that combined authentication bypass, remote code execution, and privilege escalation vulnerabilities.

Google expects AI use to grow in 2026, and threat actors will leverage it to speed up vulnerability discovery and exploit development. Defenders can use AI to strengthen security operations by identifying unknown flaws early and mitigating them before they are weaponized.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

To the naked eye, organizations are independent entities trying to make their individual mark on the world. But that was never the reality. Companies rely on other businesses to stay up and running. A grocery store needs its food suppliers; a tech company relies on the business making semiconductors and hardware. No one can go it alone.

Today, the software supply chain interconnects companies across a wide range of industries. Software applications and operating systems depend on segments of the software supply chain to offer improved functionality. But while the software supply chain has improved efficiency and productivity for most organizations, it also means that if there is a vulnerability or a glitch in the software, it can halt business operations at hundreds or thousands of companies. Even the security programs that are used to protect users from cyberattacks can release exploitable software or an update with a coding mistake that can result in anything from massive data breaches to canceled flights to shutting down medical facilities because they can’t access patient records.

These software supply chain failures don’t just hurt the company. Millions of people are impacted. So why do software vendors have such deep access to an individual organization’s system so that one problem could create a nightmare scenario?

The evolution of computing

To understand why systems are so interconnected, you have to look at the evolution of both computing and software applications, according to Shiv Ramji, President of Customer Identity with Okta.

“We started from a world where programmers write on mainframes, and then we went from mainframes to the cloud and a distributed computing model,” Ramji explained during a conversation at the Oktane conference.

The benefit is that companies can now deploy applications faster, and they can be scaled with elasticity. Applications in the cloud are faster. There are a lot of benefits to architecting applications embedded in the cloud and network systems.

However, says Ramji, this also means that the application stack becomes more complicated and more sophisticated.

“The classic example would be if I had to store if I had an app that was a social media app or photo sharing,” explained Ramji. If the user relied on a single data center and single storage mechanism, scaling would become more difficult and expensive.

“But today, you can scale this really fast because you can use S3 from Amazon for storage, and you can scale your compute,” Ramji adds. “And so, it doesn’t matter if I have two users or end up having 200 million users; I’m able to address the needs.”

This evolution in computing has brought application stacks that have become much more complex, with a lot of interdependencies across the system. Cloud computing services, security services and networking capabilities work seamlessly because they are able to be embedded into an organization’s infrastructure.

Locking in with a vendor

These interdependencies are increasingly making organizations overly reliant on specific vendors and applications to keep their business operations running smoothly. The upside to this is having third-party partnerships that integrate with your infrastructure and can be built out seamlessly. The downside is added costs from not shopping around for better deals and the greater risk of a security flaw taking down your system without warning. One bad piece of code due to an embedded vendor application can cause irreparable damage.

According to research from Dashdevs, “vendor lock-in is proven to lead to unanticipated costs and technical debt.” Reliance on these embedded applications is “proven to increase risks and vendor-specific vulnerabilities.”

When these embedded applications have a flaw — a vulnerability exploited or misconfigured code, for example — the fix can be complex. It might look as easy as deleting the bad file or applying a patch, but what happens if the problem doesn’t allow you access to the system at all? To do that, you have to identify which program is causing the problem and where within your system it is located. Is it a problem that can be fixed once via the cloud and will automatically change across all devices, or will it require updating individual machines? Finally, what is the communication between the vendor and your organization? Is the problem something you discovered or was it revealed to you, and how willing and quick is the third party able to take responsibility?

Unfortunately, there are no easy answers. It will come down to the individual situation — the type of vendor, how the application is embedded into your network and the problem that it causes.

“Some of those systems, some of those controls that you have in place have the potential from a resiliency standpoint to mean the difference between your customers having your service being on and available or having a complete destruction caused by an outage similar to what we’ve seen with other vendors recently,” says Charlotte Wylie, Deputy CSO with Okta.

How vendors can keep customers secure

Vendors can take steps to protect their customers from a software breakdown, beginning with recognizing their role inside their customers’ infrastructure. Wylie provided the following tips on how vendors and customers can work together to add security to embedded applications:

• Implement access with least privilege permissions on both sides
• Have controls and protocols in place if there is a degradation of service
• Have well-managed accounts that are maintained and secured with your organization’s IAM team

“I think least privilege and having the right identity is super important,” says Wylie. “And then testing that on a regular basis so you have the right enterprise resiliency in place and know that your disaster recovery plan is ready to go — these are your backup plans when you have a collaboration of vendors.”

Every organization has become more reliant on the software supply chains and applications used across their complex network architecture. It’s almost impossible to run a business efficiently today without this interdependence on third parties who have deep access to not just your system directly but also through the other applications and software you use. Failure will happen. Being prepared with a recovery plan for any worst-case scenario and thinking about how to best architect networks with third-party vendors to work through failure will prevent the downtime from turning into a news event.

The post Why do software vendors have such deep access into customer systems? appeared first on Security Intelligence.