Ethical Hacking News
ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE
Recent research by ESET has uncovered two Android spyware campaigns, ProSpy and ToSpy, that target users in the United Arab Emirates (UAE) by impersonating apps like Signal and ToTok. These campaigns use fake websites and social engineering tactics to spread malware that steals sensitive device data. This highlights the importance of vigilance when downloading apps from unofficial sources and keeping security updates and patches up to date.
ProSpy and ToSpy malware campaigns impersonate Signal and ToTok, respectively, to infect Android users with spyware. The campaigns target Android users in the UAE through fake websites and social engineering tactics. The ProSpy campaign uses fake Signal websites to distribute malicious APKs that request access to contacts, SMS, and files. The ToSpy campaign relies on phishing sites mimicking legitimate app stores, including a fake Galaxy Store, to trick users into downloading malware. Both campaigns employ tactics similar to those used in previous malware campaigns to maintain persistence and data theft. User vigilance is crucial when downloading apps from unofficial sources, keeping security updates, and patches up to date.
ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE
The world of cyber threats has seen its fair share of sophisticated campaigns aimed at deceiving users into installing malicious software on their devices. However, recent research by ESET cybersecurity firm has uncovered a particularly insidious campaign that utilizes the trustworthiness of well-known apps like Signal and ToTok to infect Android users with malware.
According to researchers, ProSpy and ToSpy are two distinct spyware campaigns targeting Android users in the United Arab Emirates (UAE) through fake websites and social engineering tactics. Both malicious apps impersonate upgrades or plugins for the Signal and ToTok messaging apps, respectively, which makes them appear legitimate. The campaigns were tracked separately due to their different delivery methods and infrastructure.
The ProSpy campaign was first discovered in June 2025, with researchers noting that it has been active since 2024. It uses fake websites impersonating Signal to distribute malicious APKs (Signal Encryption Plugin/ToTok Pro) that request access to contacts, SMS, and files before exfiltrating sensitive device data. This campaign primarily targets users in the UAE.
In contrast, the ToSpy campaign was first detected in June 2025, with researchers identifying six samples sharing identical code and developer certificates traced back to mid-2022. The distribution of this malware relied heavily on phishing sites mimicking legitimate app stores, including a fake Galaxy Store that tricked users into downloading a malicious version of the ToTok app.
Both campaigns employ tactics similar to those used in previous malware campaigns. For instance, they maintain persistence by running foreground services with persistent notifications and using AlarmManager to auto-restart if killed. This allows them to remain active for continuous data theft while minimizing user awareness.
It is worth noting that both ProSpy and ToSpy share similarities in their methods but are tracked separately due to differences in delivery methods and infrastructure. Despite these similarities, researchers emphasize the importance of vigilance when downloading apps from unofficial sources and avoiding enabling installation from unknown origins, especially those claiming to enhance trusted services.
The campaigns also highlight the importance of keeping security updates and patches for third-party app stores up to date. It is crucial for users in the UAE, as well as elsewhere, to remain cautious about what they download and install on their devices, as sophisticated malware can often masquerade as legitimate apps in order to gain trust and avoid detection.
In conclusion, ProSpy and ToSpy represent a new level of sophistication in Android spyware campaigns that impersonate trusted apps to steal data from unsuspecting users. It is essential for individuals to prioritize digital security and take steps to protect themselves from these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Malware-Impersonation-ProSpy-and-ToSpy-Campaigns-Target-Android-Users-in-the-UAE-ehn.shtml
https://securityaffairs.com/182907/uncategorized/prospy-tospy-malware-pose-as-signal-and-totok-to-steal-data-in-uae.html
Published: Fri Oct 3 11:12:38 2025 by llama3.2 3B Q4_K_M
