Recent investigations by ESET researchers have brought to light two distinct Android spyware campaigns that exploit popular messaging apps' reputations. These campaigns are masquerading behind what appear to be secure messaging platforms, namely Signal and ToTok, but are in fact sophisticated spyware known as ProSpy and ToSpy.
Deceptive Distribution Methods
The spyware is disseminated through phishing websites and fake application marketplaces, tricking users into downloading them as legitimate apps. ProSpy is deceitfully branded as a 'Signal Encryption Plugin' or 'ToTok Pro,' while ToSpy specifically mimics ToTok nearly to perfection, including its interface and functionalities.
Intrusive Permissions and Data Exfiltration
Once installed, ProSpy and ToSpy aggressively seek various permissions from users. ProSpy will request access to SMS, contacts, and storage, while cleverly altering its icon and application name to seamlessly integrate with system apps, making detection challenging. With these permissions, ProSpy exfiltrates a wide range of significant data such as device metadata, SMS, contacts, media files, archived documents, APKs, and lists of installed applications to its command-and-control servers.
ToSpy, on the other hand, characterized since its inception in mid-2022 and flagged again in 2025, aims to extract .ttkmbackup files used for chat backups, collecting valuable documents and media. This spyware encrypts the pilfered data using the AES-CBC encryption protocol with a hardcoded cryptographic key, adding a layer of complexity to uncover its operations. It also boasts the functionality to trigger manual APK updates from remote sources, further enhancing its data capturing capabilities.
Persistence and Targeted Regional Campaigns
Both variants of spyware maintain resilience and persistence on infected devices through mechanisms such as foreground services, AlarmManager restarts, and boot broadcast receivers. What is particularly concerning is the targeted nature of these campaigns, which appear to deliberately focus on users in the United Arab Emirates, leveraging ToTok's widespread use and popularity in the region to maximize their effectiveness.
In response to these findings, ESET has proactively reported them to Google. Consequently, Google Play Protect has started blocking known versions of ProSpy and ToSpy, mitigating the risk to a significant extent. However, this serves as a constant reminder for Android users to be vigilant about their app sources and mindful about granting permissions, ensuring they safeguard their personal and sensitive information from deceptive spyware threats.
