Researchers have found two Android spyware families masquerading as messaging apps Signal and ToTok, apparently targeting residents of the United Arab Emirates.
ESET revealed the spyware campaigns Thursday in a blog post, saying that researchers discovered it in June but believe it dates back to last year. They dubbed the campaigns ProSpy and ToSpy, with the first impersonating both Signal and ToTok, and the second just ToTok.
ToTok has been effectively discontinued since 2020, after The New York Times reported that the app itself was a spying tool for the government of the UAE. The spyware was posing as an enhanced version of the app, ToTok Pro, ESET said.
Upon download, the spyware requests permission to access contacts, text messages and stored files, and once granted, it can start exfiltrating data, according to the researchers. That includes the data for which it sought permission, but also device information, audio, video, images and chat backups.
“Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services,” said ESET researcher Lukáš Štefanko, who made the discovery. “Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app.
“Confirmed detections in the UAE and the use of phishing and fake app stores suggest regionally focused operations with strategic delivery mechanisms,” he said.
It’s not the first time hackers have disguised malware in phony messaging apps. ESET shined a spotlight on the phenomenon last year, pointing to fake WhatsApp updates with mysterious intentions, copycat Telegram and WhatsApp websites for stealing cryptocurrency and a Chinese government-linked group seeking to distribute Android BadBazaar espionage code through authentic-looking Signal and Telegram apps.
ESET concluded that the latest spyware campaigns are likely targeting privacy-conscious UAE residents partly because the ToTok app was primarily used there and also because of a domain name ending in the substring “ae.net,” with “AE” being the two-letter country code for UAE.
“Given the app’s regional popularity and the impersonation tactics used by the threat actors, it is reasonable to speculate that the primary targets of this spyware campaign are users in the UAE or surrounding regions,” ESET wrote in its blog post.
