Morpheus
Morpheus is an Android spyware family publicly reported by Osservatorio Nessuno in 2026. It is distributed through fake Android applications masquerading as phone update or service-restoration apps, including campaigns in which victims received SMS links to ISP-themed phishing sites. The infection chain uses a first-stage dropper to install a hidden second-stage payload that disguises itself as legitimate Android system components with fake names and icons.
The spyware relies on social engineering and abuse of Android permissions rather than root exploits. It pressures victims to grant Accessibility access and uses Accessibility to read screens, interact with apps, and capture sensitive data. During a fake update and fake reboot workflow, it abuses overlay windows and SYSTEM_ALERT_WINDOW, disables touchscreen interaction with a full-screen overlay, enables Developer Options, turns on Wireless Debugging, and pairs locally with the ADB daemon. Using this ADB access, Morpheus silently grants itself sensitive permissions and increases control over the device. Reporting explicitly states that Morpheus did not use CVE-2026-0073 for this behavior.
Reported capabilities include theft of extensive data from infected devices, long-term covert surveillance, audio and video recording, manipulation of WhatsApp device linking, and erasure of evidence on the device. It can display a fake biometric prompt to trick victims into approving WhatsApp account linking. Morpheus also disables or weakens security protections, including camera and microphone indicators, Google Play Protect, Google SafetyCore, and multiple antivirus products such as Bitdefender, Sophos, Avast, AVG, and Malwarebytes. It persists across reboots, can request device administrator privileges, and modifies system settings across Android versions to maintain persistence and hinder removal.
The reporting assesses likely Italian origins based on source-code language clues, infrastructure, and corporate linkages. Osservatorio Nessuno linked Morpheus to IPS Intelligence, an Italian lawful interception company, and described this as the first known public report connecting that firm to spyware distribution and operation. Additional reporting said researchers believed some targeting was related to political activism in Italy. Infrastructure details mentioned in the reporting include encrypted configurations, Italian-hosted servers, and domains linked to small ISPs and obscure entities.
Separate 2025 reporting also uses the name Morpheus for a ransomware strain. Proofpoint and SentinelLABS stated that TransferLoader infections were reported to lead to Morpheus ransomware, and SentinelLABS assessed Morpheus and HellCat ransomware as distinct brands deploying identical payloads, with Morpheus likely an updated version of HellCat. Because the provided content contains two distinct malware usages under the same name, the best-supported and most detailed identification here is the Android spyware family.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-0073 is a critical no-interaction remote code execution vulnerability in Android adbd’s ADB-over-TCP authentication path... it is an authentication bypass that lets a remote peer become an authorized ADB host and open a shell as the Android shell user.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TransferLoader malware, which later launches the Morpheus and Metasploit ransomware strains.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesthe telecom provider sent the target an SMS, prompting them to install an app that was supposed to help them update the phone, and regain cellular data access.
In this case, targets received an SMS linking to a site impersonating an ISP.
Execution
1 techniqueAttackers used a typical low-cost spyware tactic: disrupt a service and trick the victim into installing a fake app to restore it.
Persistence
4 techniquesOnce the spyware was installed, it abused Android’s in-built accessibility features, which allows the spyware to read the data on the victim’s screen and interact with other apps.
It forces users to grant dangerous permissions, including Accessibility access, which allows it to read screens, interact with apps, and capture sensitive data.
The malware also gains persistence by restarting after reboot and can request device admin privileges, making removal difficult.
Privilege Escalation
4 techniquesOnce the spyware was installed, it abused Android’s in-built accessibility features, which allows the spyware to read the data on the victim’s screen and interact with other apps.
It forces users to grant dangerous permissions, including Accessibility access, which allows it to read screens, interact with apps, and capture sensitive data.
The malware also gains persistence by restarting after reboot and can request device admin privileges, making removal difficult.
Osservatorio Nessuno’s April 2026 report on Morpheus describes Android spyware abusing Accessibility workflows to enable Developer options, turn on wireless debugging, and locally pair with adbd.
Stealth
2 techniquesThe second stage disguises itself as legitimate system components, using fake icons and names to appear trustworthy.
Morpheus is extremely invasive: it can record audio and video, silently pair a WhatsApp device, erase evidence, and deliberately weaken the security of the infected phone, among other malicious capabilities.
Defense Impairment
1 techniqueCredential Access
3 techniquesIt can trick victims into approving actions like linking a WhatsApp account by showing a fake biometric prompt.
It can trick victims into approving actions like linking a WhatsApp account by showing a fake biometric prompt.
Unbeknownst to the target, the biometric tap granted the spyware full access to their WhatsApp account by adding a device to the account.
Collection
3 techniquesIt can trick victims into approving actions like linking a WhatsApp account by showing a fake biometric prompt.
Morpheus is extremely invasive: it can record audio and video, silently pair a WhatsApp device, erase evidence, and deliberately weaken the security of the infected phone, among other malicious capabilities.
Morpheus is extremely invasive: it can record audio and video, silently pair a WhatsApp device, erase evidence, and deliberately weaken the security of the infected phone, among other malicious capabilities.
Other
1 techniqueRecent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android spyware delivered via fake update apps and SMS phishing links impersonating an ISP. It uses a dropper and hidden second-stage payload, abuses Accessibility and overlay permissions, enables Wireless Debugging and ADB pairing, disables security tools, gains persistence across reboots, and supports covert surveillance including audio/video recording, WhatsApp device pairing, evidence erasure, and weakening device protections.
Android spyware linked by researchers to IPS, an Italian lawful-interception vendor. It is delivered via fake Android/update apps, abuses Android accessibility features, steals broad device data, and can gain access to WhatsApp by spoofing the app and tricking the victim into biometric approval for device linking.
Android spyware that abuses Accessibility workflows to enable Developer options, turn on wireless debugging, and locally pair with adbd. The content explicitly states it did not use CVE-2026-0073.
Ransomware family discussed in relation to shared payload codebase with HellCat.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.