Fake WhatsApp Clone Used in Spyware Campaign, Meta Warns

A counterfeit WhatsApp application was used in a targeted spyware campaign affecting around 200 users — primarily in Italy, Meta has warned.

Key takeaways:

• Attackers distributed a counterfeit version of WhatsApp that functioned as surveillance software once installed.
• Instead of hacking the app, attackers relied on deception, tricking victims into installing the malicious version themselves.
• The campaign appears targeted, with links to an Italian surveillance vendor.
• Victims were duped into sideloading the app, bypassing app store protections.
• Once installed, such apps can collect messages, contacts, location data, and even activate microphones or cameras.
• WhatsApp’s official app, infrastructure, and end-to-end encryption were not compromised.
• Meta is taking action against the company linked to the spyware campaign.

WhatsApp users are once again in the crosshairs of spyware operators — but the latest attack didn’t rely on a hidden exploit or a missed call. Instead, it was disguised as something far more familiar: a fake version of WhatsApp itself.

The company logged users out of their WhatsApp accounts to prevent further data theft. It then sent warning notifications to the affected users, urging them to use only official applications.

A fake app with real surveillance capabilities

A fake app doesn’t need a zero-day vulnerability if it can convince you to install it.

According to Meta, the malicious software masqueraded as a legitimate WhatsApp client but functioned as spyware once installed. The company says around 200 individuals were targeted in the campaign, which has been linked to an Italian spyware vendor.

Unlike traditional app-based threats distributed through official stores, this fake version was sideloaded — meaning victims were tricked into installing it outside of their official app store.

Once installed, the malicious app granted attackers extensive access to a victim’s device. Spyware apps are typically designed to expose messages, photos, grant access to the mic and cameras, steal geolocation data, and more.

“To protect our users from this type of malicious activity, Meta constantly monitors its network for signs of compromised or unofficial clients,” the company said in a statement. “We are not experiencing a breach of WhatsApp's official apps, infrastructure, or encryption. Users' personal communications via our official app continue to be protected by end-to-end encryption and default privacy settings.”

Source: La Republica

Part of a broader spyware ecosystem

While details of the specific spyware capabilities are still emerging, the campaign fits a pattern.

Spyware operators have long targeted WhatsApp due to its massive user base and the sensitive nature of conversations on the platform.

Previous incidents have involved sophisticated tools like Pegasus, which exploited vulnerabilities to silently infect devices and monitor journalists, activists and other targets.

More recently, though, attackers have started turning to impersonation tactics — creating fake versions of trusted apps to trick people into installing malware.

Security researchers have recently observed similar campaigns where spyware hides inside counterfeit messaging or social media apps. From there, it can harvest messages and call logs, and even activate cameras.

Meta signals a legal fight

Meta says it has taken steps to disrupt the campaign and is working with app store providers to prevent further abuse.

The company is also pursuing legal action against those behind the spyware operation, continuing a broader effort to crack down on commercial surveillance vendors.

According to reports, the fake WhatsApp clone was developed by ASIGINT, a subsidiary of SIO Spa, an Italian company active in the field of interceptions and surveillance.

This follows a series of legal battles in recent years, including a major case against NSO Group, where Meta accused the company of exploiting WhatsApp infrastructure to spy on users.

How spyware works

Spyware is one the most dangerous types of malware, not just because it can steal sensitive data, but also because attackers often infect target devices without input from the victim. Spyware is typically used to covertly by various people — from jealous spouses to state-sponsored actors — to observe and collect information about a target. Dissidents, journalists and political figures are common victims.

The typical traits of spyware:

·      Stealthy operation – runs silently in the background, often without user awareness

·      Data collection – steals messages, credentials, browsing activity, and other sensitive data

·      Surveillance capabilities – can monitor activity, track location, and profile behavior

·      Audio/video access – may activate microphones or cameras to record surroundings

·      Persistence mechanisms – modifies system settings or installs components to remain undetected

How to stay safe (advice for consumers)

This campaign reinforces a few essential security habits:

• Download apps only from official stores (App Store, Google Play)
• Avoid sideloading — i.e. installing apps via links, profiles, or unknown sources
• Be wary of modified, premium, or free versions of popular apps
• Keep your device updated to reduce exposure to known threats
• Equip your device with a trusted, independent security solution capable of detecting and blocking malware

You may also want to read:

What Are the Risks of Sideloading Apps on Your Smartphone?

How Spyware Infects Smartphones and How to Defend Against It

‘Update iOS to Protect Your Data’ – Apple Urges Users to Patch Against Coruna and DarkSword Exploits

The Scam That Tricks You Into Infecting Your Own Mac