New Android Spyware Targeting Users by Imitating Signal and ToTok Apps


ESET researchers have uncovered two sophisticated Android spyware campaigns that target users seeking secure communication platforms by impersonating popular messaging apps Signal and ToTok.

These malicious operations appear to focus primarily on residents of the United Arab Emirates (UAE), utilizing deceptive websites and social engineering tactics to distribute previously undocumented malware families.

The investigation revealed two distinct Android spyware families operating through carefully orchestrated deception campaigns. Android/Spy.ProSpy masquerades as upgrades or plugins for both Signal and ToTok messaging applications, while Android/Spy.ToSpy exclusively targets ToTok users by impersonating the app itself.

Neither malicious application was available through official app stores, requiring victims to manually install the software from third-party websites designed to appear legitimate.

The plugin was distributed via phishing using two dedicated websites (https://signal.ct[.]ws and https://encryption-plug-in-signal.com-ae[.]net/), and it was available only in the form of an Android app that required users to enable manual installation from unknown sources.

Website distributing distributing fake Signal Encryption Plugin app.

One particularly sophisticated distribution method involved a fake website mimicking the Samsung Galaxy Store, which successfully lured users into downloading and installing a malicious version of the ToTok app.

ProSpy Campaign

The ProSpy campaign, discovered in June 2025 but believed to have been active since 2024, distributes malware through three deceptive websites impersonating Signal and ToTok platforms.

The campaign offers malicious APK files disguised as improvements, specifically marketed as “Signal Encryption Plugin” and “ToTok Pro”.

The Signal Encryption Plugin variant was distributed through dedicated phishing websites using domains that included “.ae.net” in their structure, suggesting a deliberate focus on UAE residents.

ProSpy execution flow.
ProSpy execution flow.

Upon installation, the malicious app requests extensive permissions to access contacts, SMS messages, and device files before beginning background data exfiltration.

After the initial setup, the Signal Encryption Plugin employs a sophisticated disguise technique, changing its appearance on the device to look like “Play Services” and redirecting users to legitimate Google Play Services when clicked.

Malicious Signal Encryption Plugin redirecting the user to the legitimate signal.org link.
Malicious Signal Encryption Plugin redirecting the user to the legitimate signal.org link.

This activity-alias manipulation effectively masks the spyware’s presence while maintaining persistent access to sensitive data.

ToSpy Campaign

The ToSpy campaign demonstrates even more targeted regional operations, with confirmed detections originating from devices located in the UAE.

Official (left) and malicious (right) ToTok app icons.
Official (left) and malicious (right) ToTok app icons.

Researchers identified six samples sharing identical malicious code and developer certificates, indicating coordination by a single threat actor.

Evidence suggests the ToSpy campaign began in mid-2022, with the developer certificate created on May 24, 2022, and related domains registered around the same timeframe. Several command and control servers remain active, indicating ongoing operations at the time of publication.

The malware specifically targets ToTok backup files with the .ttkmbackup extension, demonstrating particular interest in extracting chat history and app data. This focus aligns with ToTok’s regional popularity in the UAE and surrounding areas.

Both spyware families demonstrate extensive data collection capabilities, systematically exfiltrating device information, stored SMS messages, contact lists, and files across multiple categories including documents, images, videos, and archives.

The malware maintains persistent background operations through foreground services, alarm managers, and boot persistence mechanisms.

ToSpy employs AES encryption in CBC mode with a hardcoded key to secure exfiltrated data before transmission to command and control servers via HTTPS POST requests.

The same encryption key is used across all six identified samples, suggesting centralized development and deployment.

Protection and Prevention Measures

Google Play Protect automatically defends Android users against known versions of this spyware, providing default protection for devices with Google Play Services.

ESET shared their findings with Google as part of the App Defense Alliance partnership, ensuring rapid response to these emerging threats.

Security experts emphasize the importance of avoiding app installations from unofficial sources and disabling the “unknown sources” installation option.

Users should exercise particular caution when downloading apps or add-ons claiming to enhance trusted communication services, especially when prompted to install software outside official app stores.

The discovery of these campaigns highlights the evolving sophistication of mobile spyware operations and the importance of maintaining vigilance when downloading communication applications, particularly in regions where certain apps may be restricted or unavailable through official channels.

IoCs

SHA-1 Filename Detection Description
03FE2FCF66F86A75242F6112155134E66BC586CB e18683bc061e888f158c9a3a7478615df2d7daae1952a072d7f549cd1c1e326a.apk Android/Spy.ToSpy.A Android ToSpy spyware impersonating ToTok app.
B22D58561BB64748F0D2E57B06282D6DAF33CC68 totok_v1.8.8.411.apk Android/Spy.ToSpy.A Android ToSpy spyware impersonating ToTok app.
BDC16A05BF6B771E6EDB79634483C59FE041D59B totok_V2.8.3.10113.apk Android/Spy.ToSpy.A Android ToSpy spyware impersonating ToTok app.
DB9FE6CC777C68215BB0361139119DAFEE3B3194 totok_Version_1_9_5_433.apk Android/Spy.ToSpy.A Android ToSpy spyware impersonating ToTok app.
DE148DDFBF879AB2C12537ECCCDD0541A38A8231 v1_8_6_405_totok.apk Android/Spy.ToSpy.A Android ToSpy spyware impersonating ToTok app.
CE378AE427E4BD70EAAED204C51811CD74F9A294 v1_8_7_408_totok.apk Android/Spy.ToSpy.A Android ToSpy spyware impersonating ToTok app.
7EFEFF53AAEBF4B31BFCC093F2332944C3A6C0F6 ae.totok.chat.apk Android/Spy.ProSp.A Android ProSpy spyware impersonating ToTok Pro.
154D67F871FFA19DCE1A7646D5AE4FF00C509EE4 signal-encryption-plugin.apk Android/Spy.ProSp.A Android ProSpy spyware impersonating Signal Plugin.
154D67F871FFA19DCE1A7646D5AE4FF00C509EE4 signal_encyption_plugin.apk Android/Spy.ProSp.A Android ProSpy spyware impersonating Signal Plugin.
43F4DC193503947CB9449FE1CCA8D3FEB413A52D toktok.apk Android/Spy.ProSp.A Android ProSpy spyware impersonating ToTok Pro.
579F9E5DB2BEFCCB61C833B355733C24524457AB totok.apk Android/Spy.ProSp.A Android ProSpy spyware impersonating ToTok Pro.
80CA4C48FA831CD52041BB1E353149C052C17481 totok_encrypted_enStr.apk Android/Spy.ProSp.A Android ProSpy spyware impersonating ToTok Pro.
FFAAC2FDD9B6F5340D4202227B0B13E09F6ED031 signal-encryption-plugin.apk Android/Spy.ProSp.A Android ProSpy spyware impersonating ToTok Pro.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.