WhatsApp Alerts 200 Users to Fake iOS App Infected With Spyware: What Happened and How to Protect Yourself

TL;DR

  • WhatsApp notified approximately 200 users that they had installed a counterfeit iOS version of WhatsApp loaded with spyware.
  • The fake app was created by Asigint, an Italian subsidiary of commercial spyware vendor SIO, and primarily targeted users in Italy.
  • Meta is taking legal action against Asigint and has logged out all affected users, advising them to reinstall WhatsApp from official app stores.
  • Social engineering tactics were used to trick victims into sideloading the malicious app outside of Apple's App Store.

What Happened With the Fake WhatsApp App?

On April 2, 2026, WhatsApp disclosed that it had identified and notified approximately 200 users who had unknowingly installed a counterfeit version of its iOS application. The fake app was engineered to look and function like genuine WhatsApp but contained embedded spyware capable of surveilling the victim's device [1]. This was not a vulnerability in WhatsApp itself. It was a separate, malicious application designed to impersonate the real one.​‌‌‌​‌‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌‌‌​​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌

‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The counterfeit app was distributed through social engineering, meaning victims were tricked into installing it manually rather than downloading it through Apple's official App Store. Methods typically include phishing messages with direct download links, fake customer support pages, or instructions to install an "enterprise" or "beta" version of the app [2].

Who Is Behind the Attack?

Meta, WhatsApp's parent company, has attributed the spyware-laden app to Asigint, an Italian subsidiary of the commercial spyware company SIO. Asigint reportedly created the counterfeit WhatsApp specifically as a surveillance tool targeting individuals of interest to law enforcement and government clients [3].​‌‌‌​‌‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌‌‌​​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The commercial spyware industry has come under increasing international scrutiny. The European Parliament's PEGA committee documented over a dozen EU member states with ties to commercial spyware vendors as of 2023 [4]. Companies like NSO Group, Cytrox, and now SIO/Asigint operate in a legal gray area, selling interception capabilities to government agencies while those tools are frequently used to surveil journalists, activists, and political opponents [5].

Meta has initiated legal action against Asigint, following a pattern established by its 2019 lawsuit against NSO Group over the use of Pegasus spyware through WhatsApp. That case resulted in a landmark ruling in 2024 that found NSO Group liable for hacking WhatsApp users [6].

Why Were Users in Italy the Primary Targets?

The concentration of targets in Italy aligns with Asigint's corporate base and its business relationships with Italian government agencies. Commercial spyware vendors typically sell their products to the government of the country where they are incorporated, at least initially. Citizen Lab research has shown that spyware deployments overwhelmingly target users within the vendor's home country or immediate region before expanding internationally [7].

For Italian businesses and residents, this incident is a reminder that being in a country with active commercial spyware vendors increases the baseline risk for targeted surveillance, particularly for individuals in journalism, law, activism, or government contracting.

How Did the Social Engineering Work?

The exact social engineering scripts used in this campaign have not been fully disclosed, but the pattern follows well-documented playbooks. Victims typically receive a message, often via SMS, email, or even a legitimate messaging platform, that urges them to install an "updated" or "security-enhanced" version of WhatsApp. The message includes a link to download the app directly, bypassing the App Store [2].

On iOS, installing apps outside the App Store requires either an enterprise certificate (which allows organizations to distribute internal apps) or a sideloading mechanism. Apple's enterprise certificate program has been abused repeatedly for spyware distribution. In 2025, Apple revoked over 300 enterprise certificates tied to malicious app distribution [8]. The fake WhatsApp likely used a similar certificate-based installation method.

The sophistication here is not in the technical exploit. It is in the human manipulation. The attacker does not need to find a flaw in iOS. They need to convince you to install an app and approve the necessary permissions yourself.

What Has WhatsApp Done in Response?

WhatsApp and Meta have taken several immediate steps [1]:

  1. All approximately 200 affected users were force-logged out of their WhatsApp sessions to sever any active spyware connection.
  2. Affected users received direct notifications advising them to delete the counterfeit app and reinstall WhatsApp exclusively from Apple's App Store.
  3. Meta initiated legal proceedings against Asigint, seeking injunctive relief and damages.
  4. WhatsApp has shared threat intelligence with Apple and relevant law enforcement agencies.

For the broader user base, WhatsApp has reiterated that the only legitimate way to install the app on iOS is through the Apple App Store. Any request to install WhatsApp from a link, a webpage, or an enterprise prompt should be treated as suspicious.

What Should You Do to Protect Yourself and Your Organization?

The defensive measures here are about discipline, not technology:

  1. Only install apps from official app stores. On iOS, that means the Apple App Store exclusively. Never tap "Trust" on an enterprise certificate prompt unless your organization's IT department has specifically instructed you to do so for a known internal application.
  2. Educate your team about social engineering. The most effective spyware delivery mechanism in this campaign was a convincing message. Regular security awareness training reduces the success rate of social engineering attacks by up to 70%, according to the SANS Institute [9].
  3. Audit installed applications. On iOS, go to Settings, then General, then VPN and Device Management. If you see any profiles or certificates you do not recognize, remove them immediately.
  4. Enable Lockdown Mode on high-risk devices. Apple's Lockdown Mode, available since iOS 16, significantly restricts the attack surface for spyware by disabling many features that spyware exploits. It is specifically designed for users who may be targeted by state-sponsored surveillance [10].
  5. Monitor for unusual device behavior. Excessive battery drain, unexpected data usage, or the device running warm without heavy use can all be indicators of background spyware activity.

The cost of these steps is negligible. The cost of a compromised device carrying sensitive business communications, client data, or strategic plans is not.

FAQ

Q: Was WhatsApp itself hacked? A: No. The vulnerability was not in WhatsApp's infrastructure or code. A completely separate, counterfeit app was created to impersonate WhatsApp. Users who installed WhatsApp only from the Apple App Store were not affected [1].

Q: How do I know if I was one of the 200 affected users? A: WhatsApp directly notified all affected users through the app and via email. If you did not receive a notification from WhatsApp, you were not identified as a target. However, if you have ever installed WhatsApp from any source other than the App Store, you should verify your installation [1].

Q: What is Asigint and why is Meta suing them? A: Asigint is an Italian company and a subsidiary of spyware vendor SIO. They created the counterfeit WhatsApp app as a surveillance tool. Meta is suing Asigint for unauthorized use of WhatsApp's brand, code, and infrastructure to distribute spyware, following the legal precedent set by Meta's successful lawsuit against NSO Group [3][6].

Q: Can this type of attack happen on Android too? A: Yes. In fact, sideloading apps is generally easier on Android than on iOS because Android allows installation from unknown sources with a single settings toggle. The same social engineering tactics apply. Always install apps only from the Google Play Store or Apple App Store [2].

Q: Does a VPN or antivirus app protect against this kind of spyware? A: A VPN does not prevent you from installing a malicious app. Some mobile threat defense solutions can detect known spyware signatures, but the most effective protection is behavioral: never install apps from unofficial sources, and verify any unusual installation requests with your IT team [9].

Social engineering is the most common entry point for targeted spyware. Building a security-aware culture is the most cost-effective defense. If your organization needs help with security awareness training or mobile device policy, schedule a consultation with our team.

References

[1] WhatsApp, "WhatsApp security advisory: counterfeit iOS application," WhatsApp Blog, Apr. 2, 2026. [Online]. Available: https://blog.whatsapp.com/

[2] L. Franceschi-Bicchierai, "WhatsApp warns 200 users about fake iOS app carrying spyware," TechCrunch, Apr. 2, 2026. [Online]. Available: https://techcrunch.com/

[3] Meta Platforms Inc., "Meta takes legal action against Asigint for WhatsApp spyware distribution," Meta Newsroom, Apr. 2, 2026. [Online]. Available: https://about.fb.com/news/

[4] European Parliament, "PEGA Committee report on the use of spyware in EU member states," European Parliament, 2023. [Online]. Available: https://www.europarl.europa.eu/

[5] Citizen Lab, "Running in circles: uncovering the clients of cyberespionage firm Circles," The Citizen Lab, University of Toronto, 2025. [Online]. Available: https://citizenlab.ca/

[6] J. Menn, "Judge finds NSO Group liable for hacking WhatsApp users," The Washington Post, 2024. [Online]. Available: https://www.washingtonpost.com/

[7] Citizen Lab, "The proliferation of commercial spyware: mapping global deployments," The Citizen Lab, University of Toronto, 2025. [Online]. Available: https://citizenlab.ca/

[8] Apple Inc., "Enterprise certificate revocations and app distribution policy updates," Apple Developer, 2025. [Online]. Available: https://developer.apple.com/

[9] SANS Institute, "2025 Security Awareness Report," SANS Institute, 2025. [Online]. Available: https://www.sans.org/security-awareness-training/

[10] Apple Inc., "About Lockdown Mode," Apple Support, 2026. [Online]. Available: https://support.apple.com/en-us/HT212650

Someone Made a Fake WhatsApp to Spy on People (Explained Simply)

TL;DR

  • A company called Asigint made a fake version of WhatsApp for iPhones that secretly spied on people.
  • About 200 people, mostly in Italy, were tricked into installing it.
  • WhatsApp found out, kicked out the affected users to protect them, and told them to reinstall the real app.
  • Meta (WhatsApp's owner) is suing the company that made the fake app.

What Happened?

Imagine you want to buy a pair of name-brand sneakers. Someone on the street offers you what looks like the exact same shoe for a great deal. You take them home, but hidden inside the sole is a tiny GPS tracker that follows you everywhere. That is basically what happened here, except with a phone app instead of sneakers.

A company called Asigint, based in Italy, built a fake version of WhatsApp for iPhones. On the outside, it looked and worked just like the real WhatsApp. On the inside, it was packed with spyware, which is software that secretly watches everything you do on your phone: your messages, your photos, your location, and more [1].

How Did People Get Tricked?

The attackers used social engineering, which is a fancy term for tricking people. Think of it like a phone call from someone pretending to be your school principal, telling you to go to a different building. It sounds official, so you follow the instructions.

In this case, targets received convincing messages telling them to install an "updated" or "special" version of WhatsApp from a link. Instead of getting the app from the real App Store (which is like buying from the official shoe store), they downloaded it from an outside source. That outside copy was the fake one with spyware built in [2].

What Did WhatsApp Do About It?

WhatsApp found about 200 people who had installed the fake app. To protect them, WhatsApp immediately logged all of them out, which is like changing all the locks on their house so the spy cannot get back in. Then WhatsApp told each affected person to delete the fake app and download the real one only from the Apple App Store [1].

Meta, the company that owns WhatsApp, is also suing Asigint in court. This follows a similar lawsuit Meta won against another spyware company called NSO Group back in 2024 [3].

How Can You Stay Safe?

The number one rule is simple: only download apps from the official App Store on your iPhone or Google Play Store on Android. If anyone sends you a link to download an app directly, even if it looks real, do not tap it. Real apps do not need to be installed from random links.

You can also check your iPhone for anything suspicious by going to Settings, then General, then VPN and Device Management. If you see anything you do not recognize, remove it. And if something about your phone seems off (battery draining fast, phone getting hot for no reason), that could be a sign something is running in the background that should not be [4].

The best way to stay safe is to only get apps from official stores and be suspicious of messages asking you to install anything. Want help keeping your family or business safe? Talk to us.

FAQ

Q: Was the real WhatsApp hacked? A: No. The real WhatsApp app was not hacked or broken into. This was a completely separate fake app made to look like WhatsApp. If you got WhatsApp from the App Store, you are fine [1].

Q: How do I know if I have the fake app? A: WhatsApp directly contacted all 200 affected users. If you did not get a message from WhatsApp about this, you almost certainly have the real version. You can double-check by making sure your WhatsApp came from the Apple App Store [1].

Q: What is spyware? A: Spyware is software that hides on your device and secretly collects information like your messages, calls, photos, and location. It runs in the background, so you usually cannot tell it is there without special tools [2].

Q: Can this happen on Android phones too? A: Yes. It is actually easier to install apps from outside the official store on Android, so fake apps are a risk there too. The same rule applies: always get your apps from the Google Play Store, and do not install apps from random links [3].

References

[1] WhatsApp, "WhatsApp security advisory: counterfeit iOS application," WhatsApp Blog, Apr. 2, 2026. [Online]. Available: https://blog.whatsapp.com/

[2] L. Franceschi-Bicchierai, "WhatsApp warns 200 users about fake iOS app carrying spyware," TechCrunch, Apr. 2, 2026. [Online]. Available: https://techcrunch.com/

[3] J. Menn, "Judge finds NSO Group liable for hacking WhatsApp users," The Washington Post, 2024. [Online]. Available: https://www.washingtonpost.com/

[4] Apple Inc., "About Lockdown Mode," Apple Support, 2026. [Online]. Available: https://support.apple.com/en-us/HT212650

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation