Cybersecurity researchers have unveiled two distinct Android spyware campaigns, known as ProSpy and ToSpy, which cleverly impersonate popular applications such as Signal and ToTok to ensnare users in the United Arab Emirates (U.A.E.).
Malicious Distribution Tactics
According to ESET, a Slovak cybersecurity firm, these malicious applications are disseminated through deceptive websites and social engineering tactics aimed at tricking unsuspecting users into downloading them. Once installed, both spyware variants establish persistent access to compromised Android devices, enabling the exfiltration of sensitive data.
“Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services,” explained ESET researcher Lukáš Štefanko. One particularly deceptive site imitated the Samsung Galaxy Store, enticing users to download a malicious version of the ToTok app.
ProSpy Campaign Insights
The ProSpy campaign, identified in June 2025, is believed to have been active since 2024. It employs misleading websites that masquerade as Signal and ToTok to host compromised APK files, falsely marketed as upgrades to the respective applications—specifically, the Signal Encryption Plugin and ToTok Pro. The choice of ToTok as a lure is particularly notable, as the app was removed from both Google Play and the Apple App Store in December 2019 due to allegations of functioning as a surveillance tool for the U.A.E. government, collecting users’ conversations, locations, and other sensitive information.
In response to its removal, the developers of ToTok claimed that it was an “attack perpetrated against our company by those who hold a dominant position in this market,” asserting that the app does not engage in spying activities.
Spyware Functionality and User Deception
The rogue ProSpy applications are engineered to request permissions to access contacts, SMS messages, and files stored on the device, while also being capable of exfiltrating device information. ESET’s telemetry has also flagged another Android spyware family, ToSpy, which appears to have been actively targeting users in the region around the same time ProSpy was detected. This campaign, likely initiated on June 30, 2022, similarly utilizes counterfeit sites impersonating the ToTok app to deliver malware.
Both campaigns focus on stealing sensitive data, including files, media, contacts, and chat backups. The ProSpy cluster features the ToTok Pro app, which includes a “CONTINUE” button that redirects users to the official download page in their web browser, instructing them to download the legitimate app.
ESET noted, “This redirection is designed to reinforce the illusion of legitimacy.” Future launches of the malicious ToTok Pro app will instead open the genuine ToTok app, effectively concealing the spyware’s presence. However, users will notice two apps installed on their device—ToTok and ToTok Pro—which may raise suspicions.
Similarly, the Signal Encryption Plugin employs an “ENABLE” button to mislead users into downloading the legitimate encrypted messaging app from the signal[.]org site. Unlike the ToTok Pro scenario, the rogue Signal app icon changes to impersonate Google Play Services once the victim grants the necessary permissions.
Stealthy Data Exfiltration
Regardless of the application installed, the embedded spyware surreptitiously exfiltrates data before the user interacts with the CONTINUE or ENABLE buttons. This includes device information, SMS messages, contact lists, files, and a list of installed applications.
“Similar to ProSpy, ToSpy also incorporates steps designed to further deceive the victim into believing that the malware they just installed is a legitimate app,” Štefanko added. Upon launching the malicious ToTok app, two scenarios may unfold: either the official ToTok app is already installed on the device, or it is not.
If the official ToTok app is absent, ToSpy attempts to redirect the user to the Huawei AppGallery, either through an existing Huawei app or the default browser, encouraging the user to download the official ToTok app. Conversely, if the official app is present, a fake screen is displayed to create the illusion of checking for updates before seamlessly launching the legitimate ToTok app. Meanwhile, in the background, it collects user contacts, specific file types, device information, and ToTok data backups (*.ttkmbackup).
Persistence Mechanisms
To maintain persistence, both spyware families operate a foreground service that displays a persistent notification. They utilize Android’s AlarmManager to restart the foreground service if it is terminated and automatically launch necessary background services upon device reboot.
ESET is tracking these campaigns separately due to their differing delivery methods and infrastructures, despite several commonalities in the malware deployed. The identity of those behind these activities remains unknown.
“Users should remain vigilant when downloading apps from unofficial sources and avoid enabling installation from unknown origins, as well as when installing apps or add-ons outside of official app stores, especially those claiming to enhance trusted services,” the company advised.
