Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Android Spyware Campaigns: A Threat to User Privacy


Android spyware campaigns impersonate Signal and ToTok messengers in a bid to steal user data.

  • Researchers have discovered two new spyware campaigns targeting Android users: ProSpy and ToSpy.
  • The campaigns impersonate popular messaging apps Signal and ToTok, tricking users into installing malicious software.
  • ProSpy malware requests access to contacts, SMS, and files, while ToSpy collects documents, images, video, and chat backups.
  • The spyware uses three persistence mechanisms on infected devices to evade detection.
  • ESET has shared a list of indicators of compromise (IoCs) for the campaigns, but attribution remains inconclusive.



    • Android users are once again facing a new threat to their online privacy, as researchers have discovered two new spyware campaigns that impersonate popular messaging apps Signal and ToTok. The ProSpy and ToSpy campaigns are designed to trick users into installing malicious software on their devices, which can then be used to steal sensitive information such as contacts, messages, and files.

    The ProSpy campaign was first discovered by researchers at cybersecurity company ESET in June 2024, but it is believed that the activity may have started even earlier. The malicious campaigns are targeting users in the United Arab Emirates and are designed to distribute fake Signal Encryption Plugin and ToTok app downloads through websites that impersonate the official Signal website and the Samsung Galaxy Store.

    The fake Signal plugin website Source: ESET
    BleepingComputer tried accessing the fraudulent website but most of them were offline and one redirected to the official ToTok website.
    When executed, the ProSpy malware samples request access to the contact list, SMS, and files, which are typical permissions for messenger apps. The malware then exfiltrates device information, stored SMS texts, the contact list, files, ToTok backup files, and a list of installed applications.

    The diagram below explains how a ProSpy compromise works. The threat made an effort to avoid raising user suspicion by redirecting them to the official download site when the legitimate app was missing on the device.

    The ProSpy execution flowSource: ESET
    On the other hand, the ToSpy campaign is believed to have originated in 2022 and is still active today. According to ESET, this activity may date back as far as that period, based on indicators found during their investigation. The malicious campaigns are designed to distribute fake ToTok app downloads through websites that impersonate the official website and third-party app stores.

    The fake ToTok app distributed in this campaign prompts victims to grant contact and storage access permissions, and collects the associated data, focusing on documents, images, video, and ToTok chat backups (.ttkmbackup files). ESET's report notes that all exfiltrated data is first encrypted using the AES symmetric encryption algorithm in CBC mode.

    For stealth, ToSpy launches the real ToTok app when opened, if it's available on the device. If the app is not present, the malware tries to open the Huawei AppGallery (either the legitimate app or the default web browser) so the user can get the official ToTok app.

    Both spyware families use three persistence mechanisms on infected devices: abuse of the ‘AlarmManager’ Android system API to restart automatically if killed. Use a foreground service with persistent notifications so the system treats it as a high-priority process. Registers to receive BOOT_COMPLETED broadcast events so it can restart the spyware upon device reboot without user interaction.

    ESET has shared a comprehensive list of indicators of compromise (IoCs) associated with the ProSpy and ToSpy campaigns, but attribution remains inconclusive. Android users are recommended to download apps only from official or trusted repositories, or directly from the publisher's website. They should keep the Play Protect service active on their device to disable already known threats.

    The discovery of these malicious campaigns highlights the importance of staying vigilant when it comes to online security. With the rise of smartphone usage and social media platforms, the threat landscape is more complex than ever before. Android users need to be aware of the risks associated with installing apps from third-party sources and must take steps to protect themselves.

    In conclusion, the ProSpy and ToSpy campaigns are a reminder that the world of cybersecurity is constantly evolving and that we must stay one step ahead of these threats. By being informed and taking proactive measures, we can reduce our risk of falling victim to these types of attacks.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Android-Spyware-Campaigns-A-Threat-to-User-Privacy-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/android-spyware-campaigns-impersonate-signal-and-totok-messengers/

  • https://thehackernews.com/2025/02/hackers-exploit-signals-linked-devices.html

  • https://thehackernews.com/2025/10/warning-beware-of-android-spyware.html

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/


    • Published: Thu Oct 2 06:58:42 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us