In a recent revelation, cybersecurity researchers have uncovered two distinct families of Android spyware that masquerade as popular messaging applications, specifically Signal and ToTok. This discovery, made in June, is believed to trace back to last year, highlighting a sophisticated campaign dubbed ProSpy and ToSpy. The first campaign impersonates both Signal and ToTok, while the latter focuses solely on ToTok.
Notably, ToTok has been effectively discontinued since 2020, following a New York Times investigation that identified it as a surveillance tool for the UAE government. The spyware, however, has been cleverly disguised as an enhanced version of the app, named ToTok Pro, as reported by ESET, the cybersecurity firm behind the findings.
Upon installation, the spyware requests extensive permissions, including access to contacts, text messages, and stored files. Once these permissions are granted, the spyware begins exfiltrating sensitive data, encompassing not only the information it was authorized to access but also device details, audio, video, images, and chat backups.
Distribution Tactics and Targeting
According to ESET researcher Lukáš Štefanko, neither of the spyware-laden applications was available through official app stores. Instead, they required manual installation from third-party websites that posed as legitimate services. One particularly deceptive site imitated the Samsung Galaxy Store, enticing users to download a malicious version of the ToTok app.
“Confirmed detections in the UAE and the use of phishing and fake app stores suggest regionally focused operations with strategic delivery mechanisms,” Štefanko noted, emphasizing the targeted nature of these campaigns.
This incident is not an isolated case; hackers have a history of disguising malware within counterfeit messaging applications. ESET previously highlighted similar tactics, including fake WhatsApp updates and copycat Telegram and WhatsApp websites designed to steal cryptocurrency. Additionally, a Chinese government-linked group attempted to distribute Android espionage code through authentic-looking Signal and Telegram apps.
The current spyware campaigns appear to be particularly aimed at privacy-conscious residents of the UAE, where the ToTok app was widely used. The researchers pointed out that the domain name associated with the spyware ends in “ae.net,” with “AE” representing the two-letter country code for the UAE. This suggests a deliberate targeting of users in the UAE and potentially surrounding regions.
“Given the app’s regional popularity and the impersonation tactics used by the threat actors, it is reasonable to speculate that the primary targets of this spyware campaign are users in the UAE or surrounding regions,” ESET concluded in their blog post, underscoring the need for heightened awareness and vigilance among users in the area.
