Ethical Hacking News
Android spyware campaigns impersonating popular apps like Signal and ToTok have been discovered, targeting users in the U.A.E. with stealthy malware that exfiltrates sensitive data files, media, contacts, and chat backups. Users are warned to be cautious when downloading apps from unofficial sources.
Two Android spyware campaigns impersonating Signal and ToTok have been discovered targeting users in the UAE. The malicious apps, dubbed ProSpy and ToSpy, are being distributed via fake websites and social engineering tactics to trick users into downloading them. The use of ToTok as a lure is no coincidence, given its removal from app stores due to concerns over spying tool allegations. The spyware malware strains establish persistent access to compromised Android devices and exfiltrate data, including sensitive files, media, contacts, and chat backups. Users are warned to be cautious when downloading apps from unofficial sources and to prioritize their security against malicious apps like ProSpy and ToSpy.
In a disturbing trend, cybersecurity researchers have discovered two Android spyware campaigns that impersonate popular apps like Signal and ToTok to target unsuspecting users in the United Arab Emirates (U.A.E.). These malicious apps, dubbed ProSpy and ToSpy, are being distributed via fake websites and social engineering tactics to trick users into downloading them.
According to Slovak cybersecurity company ESET, the malicious apps were discovered in June 2025 and are believed to have been ongoing since 2024. The campaigns involve deceptive websites masquerading as Signal and ToTok to host booby-trapped APK files that claim to be upgrades to the respective apps, namely Signal Encryption Plugin and ToTok Pro.
The use of ToTok as a lure is no coincidence, as the app was removed from Google Play and Apple App Store in December 2019 due to concerns that it acted as a spying tool for the U.A.E. government, harvesting users' conversations, locations, and other data. The developers of ToTok subsequently went on to claim the removal was an "attack perpetrated against our company by those who hold a dominant position in this market" and that the app does not spy on users.
However, it appears that the malicious ProSpy and ToSpy apps are designed to deceive users into believing that they are legitimate. For example, the ProSpy campaign includes an "ENABLE" button that tricks users into downloading the Signal Encryption Plugin by visiting a fake website. Similarly, the ToSpy campaign uses a fake app icon that impersonates Google Play Services once the user grants it all the necessary permissions.
Once installed, both the spyware malware strains establish persistent access to compromised Android devices and exfiltrate data. The malicious apps are capable of requesting permissions to access contacts, SMS messages, and files stored on the device, as well as collecting device information and ToTok data backups.
ESET said that its telemetry flagged another Android spyware family actively distributed in the wild and targeting users in the same region around the same time ProSpy was detected. The ToSpy campaign, which likely began on June 30, 2022, and is currently ongoing, has leveraged fake sites impersonating the ToTok app to deliver the malware.
The regionally focused campaigns center around stealing sensitive data files, media, contacts, and chat backups, with the ToTok Pro app propagated in the ProSpy cluster featuring a "CONTINUE" button that redirects the user to the official download page in the web browser and instructs them to download the actual app.
To achieve persistence, both the spyware families run a foreground service that displays a persistent notification, use Android's AlarmManager to repeatedly restart the foreground service if it gets terminated, and automatically launch the necessary background services upon a device reboot.
ESET warned users to remain vigilant when downloading apps from unofficial sources and avoid enabling installation from unknown origins, as well as when installing apps or add-ons outside of official app stores, especially those claiming to enhance trusted services. The company added that it is currently not known who is behind the activity.
This disturbing trend highlights the importance of being cautious when using Android devices and downloading apps from unfamiliar sources. Users should always prioritize their security and take steps to protect themselves against malicious apps like ProSpy and ToSpy.
Android spyware campaigns impersonating popular apps like Signal and ToTok have been discovered, targeting users in the U.A.E. with stealthy malware that exfiltrates sensitive data files, media, contacts, and chat backups. Users are warned to be cautious when downloading apps from unofficial sources.
Related Information:
https://www.ethicalhackingnews.com/articles/Beware-of-Android-Spyware-The-ToTok-Pro-and-Signal-Encryption-Plugin-Scam-ehn.shtml
https://thehackernews.com/2025/10/warning-beware-of-android-spyware.html
Published: Thu Oct 2 07:22:29 2025 by llama3.2 3B Q4_K_M
