Fake Messaging Apps Use Previously Undocumented Malware
Two Android spyware campaigns using previously undocumented spyware masquerade as upgrades or plugins for secure messaging apps Signal and ToTok, warn researchers. The two campaigns appear to target residents of the United Arab Emirates.
See Also: When Identity Protection Fails: Rethinking Resilience for a Modern Threat Landscape
Eset researchers identified the two spyware families, which they dub “ProSpy” and “ToSpy.” Once installed, they continually exfiltrate sensitive data. Eset said it discovered the ProSpy campaign in June but that data shows it’s been ongoing since 2024.
Both campaigns trick users into side loading malicious apps by appearing to be a Signal or ToTok upgrade or by outright impersonating the ToTok app. One way they maintain legitimacy is having users download or interact with the legitimate secure messaging apps. The fake ToTok app directs users to install the actual app and persists as an app on user’s phones called “ToTok Pro.” The fake Signal upgrade directs users to “enable” it, launching the real app in the process.
Once a user grants the malicious apps permissions, both spyware strains request access to contacts, SMS messages and files stored on the device. ToSpy specifically looks for .ttkmbackup files, the extension used to store ToTok backups, suggesting a targeted interest in extracting chat histories.
Lukáš Å tefanko, senior malware researcher at Eset who analyzed the campaigns, said there is no evidence that either campaign is linked to previously reported surveillance activity. “We haven’t found any connection to previously known UAE surveillance or other stat-backed activity,” he told Information Security Media Group.
Spyware is often used against political or journalistic communities, Å tefanko said that telemetry does not suggest targeted exploitation in this case. “We haven’t seen signs of specific targeting,” he said.
The actual scale of infections remains unclear. The hackers’ decision to impersonate Signal alongside ToTok may reflect strategic targeting of different audiences. Å tefanko said that both campaigns have the same objectives, but probably different intended victims.
ToSpy has not undergone significant technical updates despite operating for several years. The spyware campaigns appear to serve surveillance goals rather than financial motives. “It is more surveillance related threat – we can’t tell if its state interest – then profit-driven cybercrime,” he said.
Distribution methods include phishing domains designed to mimic legitimate app marketplaces, including a fake Samsung Galaxy Store. Victims are prompted to manually download and install APK files, often bypassing Google Play safeguards. After installation, ProSpy and ToSpy use Android persistence mechanisms, such as AlarmManager and boot receivers, to ensure continued operation even after device reboots.
The research team notified Google of the findings, but takedowns of domains or servers have not yet been initiated. For now, both ProSpy and ToSpy continue to operate, posing a persistent surveillance risk to privacy-conscious users who rely on Signal and ToTok in the UAE and potentially beyond.