Two highly sophisticated spyware campaigns have been discovered, targeting Android users by imitating popular secure communication apps, Signal and ToTok. These operations, uncovered by ESET researchers, are primarily focused on residents of the United Arab Emirates (UAE), employing deceptive websites and social engineering tactics to distribute new malware families.
Deceptive Distribution Strategies
The investigation revealed two distinct spyware families affecting Android devices: Android/Spy.ProSpy and Android/Spy.ToSpy. ProSpy masquerades as upgrades or plugins for both Signal and ToTok, whereas ToSpy exclusively targets ToTok by impersonating the app itself. Crucially, neither of these malicious applications was available through official app stores, forcing victims to download APK packages from third-party websites.
The ProSpy spyware was distributed using phishing websites, such as signal.ct[.]ws, and a fake Signal Encryption Plugin, which required users to enable installations from unknown sources. Additionally, a counterfeit website resembling the Samsung Galaxy Store was employed to dupe users into downloading a fraudulent ToTok app. ProSpy, although discovered in June 2025, has been active since 2024. Users unwittingly downloaded files disguised as "Signal Encryption Plugin" and "ToTok Pro," which then requested extensive permissions for accessing personal data such as contacts, SMS messages, and device files.
Technical Advancements in Spyware
ProSpy’s method of deception involves changing its appearance to mimic "PlayServices" and directing users to legitimate services to conceal its operations. Meanwhile, ToSpy demonstrates targeted regional operations, with confirmed instances in the UAE. Researchers identified six ToSpy samples sharing identical malicious code, suggesting a single threat actor behind these coordinated attacks since mid-2022.
ToSpy specifically aims at extracting chat history from ToTok backup files with the .ttkmbackup extension. Both spyware families exhibit systematic capabilities to exfiltrate device information, SMS messages, contact lists, and various files, maintaining their presence through foreground services and persistent mechanisms.
One notable aspect of ToSpy's sophistication involves encrypting exfiltrated data using AES-CBC encryption with a hardcoded key before sending it to command-and-control servers. Despite these innovations, Google Play Protect is equipped to defend against known versions of this malware, and ESET has actively shared its findings with Google as part of the App Defense Alliance.
Preventive Measures and User Vigilance
In light of these discoveries, users are advised to refrain from downloading apps from unofficial sources and to keep the "unknown sources" option disabled. This situation underscores the evolving nature of mobile spyware and highlights the importance of vigilance when downloading communication apps, particularly in regions such as the UAE, where certain apps may be restricted or unavailable through official channels.
Comments (0)