ESET Research has recently unveiled two previously undocumented families of Android spyware, designated as Android/Spy.ProSpy and Android/Spy.ToSpy. These malware campaigns specifically target individuals interested in secure communication applications, namely Signal and ToTok, and are primarily distributed through deceptive websites and social engineering tactics. The focus of these operations appears to be on residents of the United Arab Emirates (UAE).
Details of the Spyware Campaigns
The Android/Spy.ProSpy malware masquerades as upgrades or plugins for the Signal app and the controversial ToTok app, while Android/Spy.ToSpy exclusively targets ToTok users. ESET’s findings indicate that the ToSpy campaigns are still active, as evidenced by the ongoing operation of command and control servers.
According to ESET researcher Lukáš Štefanko, “Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services.” One particularly deceptive website imitated the Samsung Galaxy Store, enticing users to download a malicious version of the ToTok app. Once installed, both spyware families establish persistence on the device, continuously exfiltrating sensitive data and files.
The ProSpy campaign was first identified in June 2025, although it is believed to have been operational since 2024. This campaign is disseminated through three misleading websites that impersonate the Signal and ToTok platforms, offering malicious APKs disguised as enhancements such as a Signal Encryption Plugin and ToTok Pro. The use of a domain name ending with the substring ae.net suggests a targeted approach towards individuals residing in the UAE, as “AE” is the country code for the United Arab Emirates.
During the investigation, ESET also discovered five additional malicious APKs utilizing the same spyware codebase, posing as an enhanced version of the ToTok messaging app under the name ToTok Pro. Given the app’s controversial history and its removal from major app stores due to surveillance concerns, it is likely that ToTok Pro is aimed at users in the UAE, who may be more inclined to download the app from unofficial sources.
Upon execution, both malicious applications request extensive permissions to access contacts, SMS messages, and files stored on the device. If granted, ProSpy begins to exfiltrate data in the background, collecting device information, stored SMS messages, and the contact list, along with other files such as chat backups, audio, video, and images.
In June 2025, ESET’s telemetry systems flagged another undocumented Android spyware family, Android/Spy.ToSpy, which was actively distributed from a device located in the UAE. Subsequent investigations revealed four deceptive distribution websites impersonating the ToTok app. Given the app’s regional popularity and the tactics employed by the threat actors, it is reasonable to conclude that the primary targets of this spyware campaign are users in the UAE and surrounding areas. The spyware can collect and exfiltrate a range of data, including user contacts, device information, and various files.
Štefanko advises users to remain vigilant when downloading apps from unofficial sources and to avoid enabling installations from unknown origins. He emphasizes the importance of exercising caution when installing apps or add-ons outside of official app stores, particularly those claiming to enhance trusted services.
For a more detailed analysis and technical breakdown of Android/Spy.ProSpy and Android/Spy.ToSpy, readers can refer to the latest ESET Research blog post on WeLiveSecurity.com. ESET Research can also be followed on social media platforms for the latest updates and insights.
About ESET
ESET® provides cutting-edge cybersecurity solutions designed to prevent attacks before they occur. By integrating the power of AI with human expertise, ESET remains at the forefront of emerging global cyberthreats, ensuring the security of businesses, critical infrastructure, and individuals. Their AI-native, cloud-first solutions deliver effective protection across endpoints, cloud, and mobile environments. ESET’s technology encompasses robust detection and response capabilities, ultra-secure encryption, and multifactor authentication, all supported by 24/7 real-time defense and strong local assistance. In an ever-evolving digital landscape, ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a global partner network. For more information, visit www.eset.com or follow their social media, podcasts, and blogs.
CONTACT: Media contact: Jessica Beffa jessica.beffa@eset.com 720-413-4938
