Undocumented Malware Found in Phony Messaging Apps
Security researchers have uncovered two previously undocumented Android spyware campaigns posing as updates for secure messaging applications Signal and ToTok. These campaigns predominantly target users in the United Arab Emirates, raising significant cybersecurity concerns.
Eset, a cybersecurity firm, has identified the two malware families—referred to as “ProSpy” and “ToSpy.” Both have been found to systematically extract sensitive user data. While the ProSpy campaign was first detected in June, indications suggest that it has been active since 2024, indicating a prolonged spying operation.
The deception is executed by persuading users to sideload malicious apps under the guise of legitimate upgrades. For instance, the counterfeit ToTok application directs users to download the real app while remaining installed as “ToTok Pro.” Similarly, the bogus Signal upgrade prompts users to “enable” it, triggering the legitimate app in the process.
Upon installation, these malicious applications seek extensive permissions, including access to contacts, SMS messages, and device storage. Notably, ToSpy specifically targets .ttkmbackup files, which are used to manage ToTok backups, indicating a clear focus on extracting chat histories.
Lukáš Štefanko, a senior malware researcher at Eset, has stated that there is no current evidence linking these spyware campaigns to any known surveillance activities conducted by UAE authorities. “We haven’t identified a connection to any previously reported surveillance organization,” he affirmed, emphasizing that the telemetry does not suggest individual targeting.
While details surrounding the scope of infections remain ambiguous, the choice to impersonate both Signal and ToTok appears to reflect a strategic approach to engage varied audiences. Štefanko notes that while both malware strains share common objectives, their target demographics may differ significantly.
Despite having been in the wild for several years, ToSpy has not received major technical enhancements, suggesting that its utility lies primarily in surveillance rather than financial gain. Štefanko elaborated on this, stating, “The threat appears more aligned with surveillance goals than with profit-centered cybercrime.”
Distribution methods include phishing domains that cleverly mimic legitimate app marketplaces, including a counterfeit Samsung Galaxy Store. Victims are typically guided to manually download APK files, evading Google Play’s protection mechanisms. Following installation, ProSpy and ToSpy employ Android persistence techniques to ensure they remain operational, even after device reboots.
Eset has alerted Google about these findings; however, as of now, no action has been taken to dismantle the facilitating domains. The persistence of both ProSpy and ToSpy thus continues to present a looming surveillance threat to privacy-aware users of Signal and ToTok within the UAE and potentially beyond.
