ESET researchers have recently unveiled two intricate Android spyware campaigns that cleverly disguise themselves as popular messaging applications, Signal and ToTok. These malicious initiatives predominantly target users in the United Arab Emirates (UAE), employing deceptive websites and social engineering tactics to disseminate previously undocumented malware families.
The investigation has identified two separate Android spyware families engaged in these meticulously crafted deception campaigns. The first, Android/Spy.ProSpy, masquerades as upgrades or plugins for both Signal and ToTok messaging applications. In contrast, Android/Spy.ToSpy specifically targets ToTok users by impersonating the app itself.
Notably, neither of these malicious applications was found on official app stores, necessitating that victims manually install the software from third-party websites designed to appear legitimate. The plugin was distributed through phishing tactics via two dedicated websites: signal.ct[.]ws and encryption-plug-in-signal.com-ae[.]net, and was available solely as an Android app requiring users to enable manual installation from unknown sources.
One particularly cunning distribution method involved a counterfeit website that mimicked the Samsung Galaxy Store, successfully enticing users to download and install a malicious version of the ToTok app.
ProSpy Campaign
The ProSpy campaign, which was discovered in June 2025 but is believed to have been active since 2024, disseminates malware through three deceptive websites that impersonate Signal and ToTok platforms. This campaign offers malicious APK files disguised as enhancements, specifically marketed as “Signal Encryption Plugin” and “ToTok Pro.”
The Signal Encryption Plugin variant was distributed through dedicated phishing websites using domains that included “.ae.net,” indicating a targeted focus on UAE residents.
Upon installation, the malicious app requests extensive permissions to access contacts, SMS messages, and device files, initiating background data exfiltration. Following the initial setup, the Signal Encryption Plugin employs a sophisticated disguise technique, altering its appearance on the device to resemble “Play Services” and redirecting users to legitimate Google Play Services when clicked.
This activity-alias manipulation effectively conceals the spyware’s presence while ensuring persistent access to sensitive data.
ToSpy Campaign
The ToSpy campaign exhibits an even more focused regional operation, with confirmed detections originating from devices located in the UAE. Researchers have identified six samples sharing identical malicious code and developer certificates, suggesting coordination by a single threat actor.
Evidence indicates that the ToSpy campaign commenced in mid-2022, with the developer certificate created on May 24, 2022, and related domains registered around the same period. Several command and control servers remain active, signifying ongoing operations at the time of publication.
This malware specifically targets ToTok backup files with the .ttkmbackup extension, highlighting a particular interest in extracting chat histories and app data, which aligns with ToTok’s popularity in the UAE and surrounding regions.
Both spyware families exhibit extensive data collection capabilities, systematically exfiltrating device information, stored SMS messages, contact lists, and files across various categories, including documents, images, videos, and archives. The malware maintains persistent background operations through foreground services, alarm managers, and boot persistence mechanisms.
ToSpy employs AES encryption in CBC mode with a hardcoded key to secure exfiltrated data before transmission to command and control servers via HTTPS POST requests. The same encryption key is utilized across all six identified samples, suggesting centralized development and deployment.
Protection and Prevention Measures
Google Play Protect automatically safeguards Android users against known versions of this spyware, providing default protection for devices with Google Play Services. ESET has shared their findings with Google as part of the App Defense Alliance partnership, ensuring a swift response to these emerging threats.
Security experts stress the importance of avoiding app installations from unofficial sources and disabling the “unknown sources” installation option. Users should exercise particular caution when downloading apps or add-ons that claim to enhance trusted communication services, especially when prompted to install software outside official app stores.
The discovery of these campaigns underscores the evolving sophistication of mobile spyware operations and the critical need for vigilance when downloading communication applications, particularly in regions where certain apps may be restricted or unavailable through official channels.
IoCs
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 03FE2FCF66F86A75242F6112155134E66BC586CB | e18683bc061e888f158c9a3a7478615df2d7daae1952a072d7f549cd1c1e326a.apk | Android/Spy.ToSpy.A | Android ToSpy spyware impersonating ToTok app. |
| B22D58561BB64748F0D2E57B06282D6DAF33CC68 | totok_v1.8.8.411.apk | Android/Spy.ToSpy.A | Android ToSpy spyware impersonating ToTok app. |
| BDC16A05BF6B771E6EDB79634483C59FE041D59B | totok_V2.8.3.10113.apk | Android/Spy.ToSpy.A | Android ToSpy spyware impersonating ToTok app. |
| DB9FE6CC777C68215BB0361139119DAFEE3B3194 | totokVersion195_433.apk | Android/Spy.ToSpy.A | Android ToSpy spyware impersonating ToTok app. |
| DE148DDFBF879AB2C12537ECCCDD0541A38A8231 | v186405totok.apk | Android/Spy.ToSpy.A | Android ToSpy spyware impersonating ToTok app. |
| CE378AE427E4BD70EAAED204C51811CD74F9A294 | v187408totok.apk | Android/Spy.ToSpy.A | Android ToSpy spyware impersonating ToTok app. |
| 7EFEFF53AAEBF4B31BFCC093F2332944C3A6C0F6 | ae.totok.chat.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating ToTok Pro. |
| 154D67F871FFA19DCE1A7646D5AE4FF00C509EE4 | signal-encryption-plugin.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating Signal Plugin. |
| 154D67F871FFA19DCE1A7646D5AE4FF00C509EE4 | signalencyptionplugin.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating Signal Plugin. |
| 43F4DC193503947CB9449FE1CCA8D3FEB413A52D | toktok.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating ToTok Pro. |
| 579F9E5DB2BEFCCB61C833B355733C24524457AB | totok.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating ToTok Pro. |
| 80CA4C48FA831CD52041BB1E353149C052C17481 | totokencryptedenStr.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating ToTok Pro. |
| FFAAC2FDD9B6F5340D4202227B0B13E09F6ED031 | signal-encryption-plugin.apk | Android/Spy.ProSp.A | Android ProSpy spyware impersonating ToTok Pro. |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
