ESET researchers have unearthed two unprecedented Android spyware campaigns targeting individuals searching for secure messaging applications like Signal and ToTok. By exploiting fake websites and social engineering, attackers have managed to spread these malevolent tools effectively.
Two distinct spyware families were identified in the ESET research: Android/Spy.ProSpy and Android/Spy.ToSpy. The former masquerades as updates or enhancements for the Signal app and the now-defunct ToTok app, whereas the latter is a direct pretender of the ToTok app itself. This ToSpy campaign is strikingly active, sustained by operational command-and-control servers.
Distribution Through Deceptive Online Channels
Intriguingly, neither of the spyware-laden apps could be found in official app stores, necessitating manual installation from bogus third-party sites. ESET researcher Štefanko explained how one such site mimicked the Samsung Galaxy Store, tricking users into downloading a compromised version of the ToTok app. Once installed, both spyware variants persist behind the scenes, continually siphoning off sensitive data from affected Android devices.
Campaign investigations revealed a pattern of phishing and counterfeit app stores, indicative of regionally focused operations, specifically targeting users in the United Arab Emirates. The ProSpy campaign, first unearthed in June 2025, suggests activity dating back to 2024. Its distribution method via forged websites mimicking Signal and ToTok highlights a sophisticated layer of maliciousness, further evidenced by the domain suffix
Pervasive Data Exfiltration
When initiated, these spyware apps solicit access to contacts, SMS messages, and local files. If successful, ProSpy clandestinely transmits this data in the background. Additional payloads like the Signal Encryption Plugin compile and abscond with extensive device details, stored messages, contact lists, and even chat backups, including multimedia content.
In a concerning observation dated June 2025, ESET telemetry picked up activity from the Android/Spy.ToSpy family on a device within the UAE. Investigators unearthed four fraudulent distribution platforms purporting to host the ToTok app. Silent yet efficient, the ToSpy spyware covertly amasses and relays contacts, device information, chat histories, multimedia files, and sensitive documents.
Precautionary Measures and Recommendations
The research underscores a critical piece of advice: users must exercise caution when downloading applications from unofficial portals. Avoid enabling installations from unknown sources or apps falsely promising to enhance trusted services, as more often than not, they conceal a sinister agenda. Such caution is especially crucial for widely trusted applications and services, advises ESET researcher Štefanko.
This developing situation serves as a stark reminder of the intricate web of cyber threats lurking in the digital realm, emphasizing the perennial necessity for vigilance and adherence to safe online practices.
