A covert espionage operation has been active across the Middle East since 2022, employing counterfeit versions of trusted messaging apps to infiltrate Android devices with a spyware known as ProSpy. This malicious software masquerades as legitimate apps like Signal, ToTok, and Botim, frequently used by journalists and activists for secure communication.
Discovery of the Espionage Campaign
The espionage activities came to light in August 2025 when Access Now’s Digital Security Helpline started probing a surge of phishing attacks targeting Egyptian journalists and opposition figures. Their investigation unveiled Android malware linked to these attacks, prompting further exploration into its origins.
This inquiry exposed a wider espionage network affecting several countries, including Egypt, Bahrain, the UAE, Saudi Arabia, Lebanon, and even extending to the UK and potentially the US.
Connections to BITTER APT
Analysts from Lookout Threat Intelligence identified this campaign as a probable hack-for-hire scheme connected to BITTER APT (T-APT-17), a group suspected of ties to the Indian government. Researchers obtained 11 ProSpy samples, the earliest from August 2024, and tracked the malware’s infrastructure across numerous servers and fake websites.
There is moderate confidence that BITTER APT, or an affiliated organization, was contracted to perform surveillance on civil society in the MENA region, marking a novel instance of BITTER-linked activities targeting this demographic.
Mechanisms of ProSpy Deployment
ProSpy’s dissemination follows a calculated two-phase strategy. Initially, attackers construct fake identities on social media or messaging platforms to engage with targets. Once trust is established, a spearphishing link is sent, directing Android users to a site hosting a malicious APK disguised as a legitimate messaging app.
In one case, users were baited with an invitation to a secure video call. Clicking the link redirected them to a site mimicking a ToTok app update, resulting in an automatic download of the spyware. These sites were available in both English and Arabic, underscoring the attackers’ focus on Arabic-speaking users. Similar sites were crafted for Signal and Botim.
Protective Measures and Recommendations
Civil society members, especially in the Middle East, should refrain from downloading apps outside official stores and remain wary of dubious links, even from trusted contacts. Organizations aiding vulnerable individuals are advised to promote mobile threat detection tools and educate users on the risks of unverified app installations.
Any unusual app requests or unexpected device behavior post-installation should raise immediate concerns and prompt a thorough review.
