In recent months, security teams have observed a surge in Android spyware campaigns that prey on privacy-conscious users by masquerading as trusted messaging apps.
These malicious payloads exploit users’ trust in Signal and ToTok, delivering trojanized applications that request extensive permissions under the guise of enhanced functionality.
Initial distribution relies on phishing websites and fake app stores, prompting users to sideload APKs from unfamiliar domains. Once granted the requested permissions, the spyware quietly embeds itself into the system, maintaining a low profile while harvesting sensitive information.
The campaigns center around two distinct spyware families: AndroidSpy.ProSpy, which impersonates Signal and ToTok plugins, and AndroidSpy.ToSpy, which poses as a standalone ToTok app.
Both are manually installed outside official app stores, taking advantage of Android’s “unknown sources” setting.
WeLiveSecurity researchers identified that the domains signal.ct.ws and encryption-plugin-signal.com-ae.net distributed ProSpy under the guise of a nonexistent “Signal Encryption Plugin,” while ToSpy variants were available through sites mimicking the Samsung Galaxy Store.
.webp "New Android Spyware Attacking Android Users Mimic as Signal and ToTok Apps 3")
These campaigns appear regionally focused on the United Arab Emirates, leveraging local user bases of Signal and ToTok.
Upon installation, the spyware requests access to contacts, SMS messages, file storage, and device information.
.webp "New Android Spyware Attacking Android Users Mimic as Signal and ToTok Apps 4")
If permissions are granted, ProSpy and ToSpy immediately begin exfiltration processes that collect hardware and OS details, chat backups, media files, documents, and installed‐app lists.
.webp "New Android Spyware Attacking Android Users Mimic as Signal and ToTok Apps 5")
ToTok-specific spyware even targets “.ttkmbackup” files to harvest chat history. Both families encrypt exfiltrated data using hardcoded AES-CBC with the key p2j8w9savbny75xg, then transmit it via HTTPS POST to command-and-control servers.
This encryption routine is implemented as shown in the decompiled snippet below, highlighting the hardcoded key and encryption parameters.
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
SecretKeySpec keySpec = new SecretKeySpec("p2j8w9savbny75xg".getBytes(), "AES");
IvParameterSpec ivSpec = new IvParameterSpec(new byte[16]);
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
byte[] encrypted = cipher.doFinal(plaintext.getBytes());.webp "New Android Spyware Attacking Android Users Mimic as Signal and ToTok Apps 6")
Infection Mechanism
The infection mechanism begins with social-engineering lures—users encountering links via messaging apps or spoofed social media posts.
When a victim clicks a malicious link, they land on a deceptively branded page that imitates familiar app repositories.
For ProSpy, two domains presented an “Encryption Plugin” that promised enhanced messaging security, requiring users to enable manual APK installation.
Similarly, ToSpy distribution leveraged phishing pages styled after the Galaxy Store to deliver a “ToTok Pro” APK.
Once sideloaded, the app registers a foreground service to ensure persistent operation, displays a convincing onboarding screen, and uses AndroidManifest activity-alias entries to alter its icon and name to “Play Services,” effectively hiding in plain sight.
To establish persistence, the spyware sets an AlarmManager to restart its service if killed and registers a BOOT_COMPLETED BroadcastReceiver to relaunch after device reboots.
This combination of social engineering, manual installation, aliasing, and persistent background processes ensures continuous data extraction with minimal user awareness.
As these campaigns remain active, Android users are urged to avoid sideloading apps from untrusted sources and to keep Play Protect enabled.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
