Cybersecurity researchers have found two Android spy ware campaigns dubbed ProSpy and ToSpy that impersonate apps like Sign and ToTok to focus on customers within the United Arab Emirates (U.A.E.).
Slovak cybersecurity firm ESET mentioned the malicious apps are distributed through pretend web sites and social engineering to trick unsuspecting customers into downloading them. As soon as put in, each the spy ware malware strains set up persistent entry to compromised Android units and exfiltrate information.
“Neither app containing the spy ware was obtainable in official app shops; each required guide set up from third-party web sites posing as legit companies,” ESET researcher Lukáš Štefanko mentioned. Notably, one of many web sites distributing the ToSpy malware household mimicked the Samsung Galaxy Retailer, luring customers into manually downloading and putting in a malicious model of the ToTok app.”
The ProSpy marketing campaign, found in June 2025, is believed to have been ongoing since 2024, leveraging misleading web sites masquerading as Sign and ToTok to host booby-trapped APK information that declare to be upgrades to the respective apps, specifically Sign Encryption Plugin and ToTok Professional.
Using ToTok as a lure is not any coincidence, because the app was faraway from Google Play and Apple App Retailer in December 2019 as a consequence of considerations that it acted as a spying instrument for the U.A.E. authorities, harvesting customers’ conversations, areas, and different information.
The builders of ToTok subsequently went on to assert the elimination was an “assault perpetrated towards our firm by those that maintain a dominant place on this market” and that the app doesn’t spy on customers.
The rogue ProSpy apps are designed to request permissions to entry contacts, SMS messages, and information saved on the system. It is also able to exfiltrating system info.
ESET mentioned its telemetry additionally flagged one other Android spy ware household actively distributed within the wild and focusing on customers in the identical area across the identical time ProSpy was detected. The ToSpy marketing campaign, which doubtless started on June 30, 2022, and is at present ongoing, has leveraged pretend websites impersonating the ToTok app to ship the malware.
The regionally centered campaigns focus on stealing delicate information information, media, contacts, and chat backups, with the ToTok Professional app propagated within the ProSpy cluster that includes a “CONTINUE” button that, when tapped, redirects the person to the official obtain web page within the net browser and instructs them to obtain the precise app.
“This redirection is designed to strengthen the phantasm of legitimacy,” ESET mentioned. “Any future launches of the malicious ToTok Professional app will as an alternative open the actual ToTok app, successfully masking the spy ware’s presence. Nonetheless, the person will nonetheless see two apps put in on the system (ToTok and ToTok Professional), which may very well be suspicious.”
The Sign Encryption Plugin, in the same method, consists of an “ENABLE” button to deceive the customers into downloading the legit encrypted messaging app by visiting the sign[.]org website. However not like the case of ToTok Professional, the rogue Sign app icon is modified to impersonate Google Play Providers as soon as the sufferer grants all of it the mandatory permissions.
Whatever the app put in, the spy ware embedded inside it stealthily exfiltrates the info earlier than the person clicks CONTINUE or ENABLE. This consists of system info, SMS messages, contact lists, information, and an inventory of put in functions.
“Equally to ProSpy, ToSpy additionally consists of steps designed to additional deceive the sufferer into believing that the malware they simply put in is a legit app,” Štefanko mentioned. “After the person launches the malicious ToTok app, there are two potential eventualities: both the official ToTok app is put in on the system or it isn’t.”
“If the official ToTok app just isn’t put in on the system, ToSpy makes an attempt to redirect the person to the Huawei AppGallery, both by means of an already put in Huawei app or through the default browser, suggesting the person obtain the official ToTok app.”
Within the occasion the app is already put in on the system, it shows a pretend display screen to provide the impression that it is checking for app updates earlier than seamlessly launching the official ToTok app. Nonetheless, within the background, it collects person contacts, information matching sure extensions, system info, and ToTok information backups (*.ttkmbackup).
To realize persistence, each the spy ware households run a foreground service that shows a persistent notification, use Android’s AlarmManager to repeatedly restart the foreground service if it will get terminated, and routinely launch the mandatory background companies upon a tool reboot.
ESET mentioned the campaigns are being tracked otherwise as a consequence of variations in supply strategies and infrastructure, regardless of a number of commonalities within the malware deployed. It is at present not recognized who’s behind the exercise.
“Customers ought to stay vigilant when downloading apps from unofficial sources and keep away from enabling set up from unknown origins, in addition to when putting in apps or add-ons exterior of official app shops, particularly these claiming to reinforce trusted companies,” the corporate added.
