ESET researchers have uncovered two distinct Android spyware campaigns targeting individuals seeking secure messaging applications like Signal and ToTok. These malicious efforts are being propagated through deceptive websites and social engineering tactics, aiming to lure unsuspecting users into downloading harmful software.
Spyware Families Identified
The investigation revealed two previously unknown spyware families: Android/Spy.ProSpy and Android/Spy.ToSpy. The former masquerades as upgrades or add-ons for the Signal app and the now-defunct ToTok app, while the latter impersonates the ToTok app itself. Notably, the ToSpy campaign remains active, bolstered by command-and-control servers that continue to operate.
“Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services,” stated ESET researcher Lukáš Štefanko. He emphasized the risks associated with these deceptive practices, noting that one of the websites distributing the ToSpy malware closely resembled the Samsung Galaxy Store, enticing users to download a malicious version of the ToTok app. Once installed, both spyware families establish persistence on the device, continuously exfiltrating sensitive data and files.
Distribution through Fake Websites
The ProSpy campaign was first identified in June 2025, with indications that it has been operational since 2024. The spyware is disseminated via three fraudulent websites that imitate the Signal and ToTok platforms, offering malicious APKs disguised as a Signal Encryption Plugin and ToTok Pro. One of these domains ends with ae.net, suggesting a targeted approach towards users in the United Arab Emirates (UAE).
During their research, the team discovered five additional malicious APKs built on the same spyware codebase, posing as an updated version of the ToTok messaging app, dubbed ToTok Pro. Originally developed in the UAE, ToTok was removed from both Google Play and Apple’s App Store in December 2019 due to surveillance concerns. Given that a significant portion of its user base resides in the UAE, it is plausible that ToTok Pro is specifically aimed at individuals in that region, who may be more inclined to download applications from unofficial sources.
How the Spyware Works
Upon launching, both spyware applications request access to contacts, SMS messages, and files stored on the device. If users grant these permissions, ProSpy begins to transmit data in the background. The Signal Encryption Plugin gathers device details, stored SMS messages, and contacts, while also exfiltrating files such as chat backups, audio, video, and images.
In June 2025, ESET telemetry detected another previously unknown Android spyware family, identified as Android/Spy.ToSpy. This activity originated from a device located in the UAE, leading to the discovery of four fake distribution websites impersonating the ToTok app. Given ToTok’s popularity in the region and the use of impersonation tactics, it is likely that the primary targets are users in the UAE and surrounding areas. The spyware operates silently in the background, collecting and transmitting contacts, device information, chat backups, images, documents, audio, video, and other files. ESET estimates that the ToSpy campaign likely commenced in mid-2022.
“Users should remain vigilant when downloading apps from unofficial sources and avoid enabling installation from unknown origins, particularly when installing apps or add-ons outside of official app stores, especially those claiming to enhance trusted services,” Štefanko advises.
