If you use messaging apps in the United Arab Emirates (UAE), cybersecurity researchers at ESET have identified two mobile spyware campaigns that trick users into installing fake versions of Signal and ToTok, then steal personal data, including contacts, messages, backups, files, and more from infected devices.
One malware strain, called, called ProSpy (Android/Spy.ProSpy), was offered as a fake Signal “encryption plugin” and as a ToTok Pro add-on. The other, ToSpy (Android/Spy.ToSpy), impersonates ToTok itself. Neither app appears in official app stores; victims have to manually install APK files from cloned websites or third-party pages designed to look like legitimate services.
Signal, as we know, is a popular encrypted messaging app. ToTok, on the other hand, has a controversial history. As reported by Hackread.com in December 2019, ToTok was a UAE-developed messaging app accused of spying on users in the country, which led Apple and Google to remove it from their stores. Today, the app is available only through unreliable third-party sources.
The malware scam is a perfect example of a social engineering attack using people’s trust in recognised brands, copying their logos, onboarding screens and store layouts. According to ESET’s long technical blog post, in some cases, the fake Signal app even changes its icon and name to look like Google Play Services after setup, which makes it harder for users to spot and remove.
When the spyware runs, it asks for permissions that many apps legitimately need, like contacts and storage access. If granted, the spyware collects device details, SMS messages, contact lists, installed app lists, and files, including chat backups.
ToSpy was observed targeting ToTok backup files in particular, which suggests the attackers are interested in chat history. All collected data is encrypted with a hardcoded AES key, then sent to command and control servers.
ESET’s research shows that this is not a new operation. The company’s telemetry and domain data trace samples back as far as mid-2022, with ongoing activity and active C&C servers detected in 2025.
To reduce risk, users should stick to official app stores, avoid enabling installation from unknown sources, and keep Google Play Protect turned on if their device supports it. ESET has shared its findings with Google, and Play Protect now blocks known variants of these spyware families by default on Android devices with Google Play Services.
