ESET researchers have uncovered two sophisticated Android spyware campaigns that target users seeking secure communication platforms by impersonating popular messaging apps Signal and ToTok.
These malicious operations appear to focus primarily on residents of the United Arab Emirates (UAE), utilizing deceptive websites and social engineering tactics to distribute previously undocumented malware families.
The investigation revealed two distinct Android spyware families operating through carefully orchestrated deception campaigns. Android/Spy.ProSpy masquerades as upgrades or plugins for both Signal and ToTok messaging applications, while Android/Spy.ToSpy exclusively targets ToTok users by impersonating the app itself.
Neither malicious application was available through official app stores, requiring victims to manually install the software from third-party websites designed to appear legitimate.
The plugin was distributed via phishing using two dedicated websites (https://signal.ct[.]ws and https://encryption-plug-in-signal.com-ae[.]net/), and it was available only in the form of an Android app that required users to enable manual installation from unknown sources.
One particularly sophisticated distribution method involved a fake website mimicking the Samsung Galaxy Store, which successfully lured users into downloading and installing a malicious version of the ToTok app.
ProSpy Campaign
The ProSpy campaign, discovered in June 2025 but believed to have been active since 2024, distributes malware through three deceptive websites impersonating Signal and ToTok platforms.
The campaign offers malicious APK files disguised as improvements, specifically marketed as “Signal Encryption Plugin” and “ToTok Pro”.
The Signal Encryption Plugin variant was distributed through dedicated phishing websites using domains that included “.ae.net” in their structure, suggesting a deliberate focus on UAE residents.
Upon installation, the malicious app requests extensive permissions to access contacts, SMS messages, and device files before beginning background data exfiltration.
After the initial setup, the Signal Encryption Plugin employs a sophisticated disguise technique, changing its appearance on the device to look like “Play Services” and redirecting users to legitimate Google Play Services when clicked.
This activity-alias manipulation effectively masks the spyware’s presence while maintaining persistent access to sensitive data.
ToSpy Campaign
The ToSpy campaign demonstrates even more targeted regional operations, with confirmed detections originating from devices located in the UAE.
Researchers identified six samples sharing identical malicious code and developer certificates, indicating coordination by a single threat actor.
Evidence suggests the ToSpy campaign began in mid-2022, with the developer certificate created on May 24, 2022, and related domains registered around the same timeframe. Several command and control servers remain active, indicating ongoing operations at the time of publication.
The malware specifically targets ToTok backup files with the .ttkmbackup extension, demonstrating particular interest in extracting chat history and app data. This focus aligns with ToTok’s regional popularity in the UAE and surrounding areas.
Both spyware families demonstrate extensive data collection capabilities, systematically exfiltrating device information, stored SMS messages, contact lists, and files across multiple categories including documents, images, videos, and archives.
The malware maintains persistent background operations through foreground services, alarm managers, and boot persistence mechanisms.
ToSpy employs AES encryption in CBC mode with a hardcoded key to secure exfiltrated data before transmission to command and control servers via HTTPS POST requests.
The same encryption key is used across all six identified samples, suggesting centralized development and deployment.
Protection and Prevention Measures
Google Play Protect automatically defends Android users against known versions of this spyware, providing default protection for devices with Google Play Services.
ESET shared their findings with Google as part of the App Defense Alliance partnership, ensuring rapid response to these emerging threats.
Security experts emphasize the importance of avoiding app installations from unofficial sources and disabling the “unknown sources” installation option.
Users should exercise particular caution when downloading apps or add-ons claiming to enhance trusted communication services, especially when prompted to install software outside official app stores.
The discovery of these campaigns highlights the evolving sophistication of mobile spyware operations and the importance of maintaining vigilance when downloading communication applications, particularly in regions where certain apps may be restricted or unavailable through official channels.
IoCs
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 03FE2FCF66F86A75242F6112155134E66BC586CB | e18683bc061e888f158c9a3a7478615df2d7daae1952a072d7f549cd1c1e326a.apk | Android/Spy.ToSpy.A | Android ToSpy spyware impersonating ToTok app. |
| B22D58561BB64748F0D2E57B06282D6DAF33CC68 | totok_v1.8.8.411.apk | Android/Spy.ToSpy.A | Android ToSpy spyware impersonating ToTok app. |
| BDC16A05BF6B771E6EDB79634483C59FE041D59B | totok_V2.8.3.10113.apk | Android/Spy.ToSpy.A | Android ToSpy spyware impersonating ToTok app. |
| DB9FE6CC777C68215BB0361139119DAFEE3B3194 | totok_Version_1_9_5_433.apk | Android/Spy.ToSpy.A | Android ToSpy spyware impersonating ToTok app. |
| DE148DDFBF879AB2C12537ECCCDD0541A38A8231 | v1_8_6_405_totok.apk | Android/Spy.ToSpy.A | Android ToSpy spyware impersonating ToTok app. |
| CE378AE427E4BD70EAAED204C51811CD74F9A294 | v1_8_7_408_totok.apk | Android/Spy.ToSpy.A | Android ToSpy spyware impersonating ToTok app. |
| 7EFEFF53AAEBF4B31BFCC093F2332944C3A6C0F6 | ae.totok.chat.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating ToTok Pro. |
| 154D67F871FFA19DCE1A7646D5AE4FF00C509EE4 | signal-encryption-plugin.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating Signal Plugin. |
| 154D67F871FFA19DCE1A7646D5AE4FF00C509EE4 | signal_encyption_plugin.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating Signal Plugin. |
| 43F4DC193503947CB9449FE1CCA8D3FEB413A52D | toktok.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating ToTok Pro. |
| 579F9E5DB2BEFCCB61C833B355733C24524457AB | totok.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating ToTok Pro. |
| 80CA4C48FA831CD52041BB1E353149C052C17481 | totok_encrypted_enStr.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating ToTok Pro. |
| FFAAC2FDD9B6F5340D4202227B0B13E09F6ED031 | signal-encryption-plugin.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating ToTok Pro. |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
