Android spyware Archives

Tech Optimizer

October 17, 2025

Android Spyware Threats Surge 147% in 2025: Protect Your Device Now

Android users are facing sophisticated spyware threats, specifically two strains known as ProSpy and ToSpy, which disguise themselves as legitimate applications like updates for Signal and ToTok. These malware types evade detection and steal sensitive information such as messages, contacts, and location data by requesting innocuous permissions. In 2025, spyware detections increased by 147%, with attackers mimicking financial tools and system updates. Google plans to implement a policy requiring app registration to verified developers in 2026 to combat these threats. Experts recommend downloading apps only from the Google Play Store, enabling Play Protect, and using reputable antivirus software. Vigilance against unofficial sources is crucial for protecting personal and professional data. New threats like ClayRat are emerging, further complicating the security landscape.

AppWizard

October 9, 2025

New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps

A sophisticated Android spyware campaign called ClayRat is targeting users in Russia through Telegram channels and deceptive phishing websites that mimic popular applications like WhatsApp and TikTok. Once activated, ClayRat can exfiltrate sensitive data such as SMS messages and call logs, access device information, take photos, and send messages or make calls from the victim's device. It propagates by sending malicious links to all contacts in the victim's phone book. Over the past 90 days, Zimperium has identified over 600 samples and 50 droppers of ClayRat, which uses advanced obfuscation techniques to evade detection. The malware redirects users to fraudulent websites leading to Telegram channels, where they are lured into downloading APK files. Some samples function as droppers, displaying counterfeit Play Store update screens while concealing the actual payload. Once installed, ClayRat communicates with its command-and-control infrastructure and can capture sensitive content, making infected devices automated distribution nodes. Additionally, a study by researchers from the University of Luxembourg and Université Cheikh Anta Diop found that pre-installed applications on budget Android smartphones sold in Africa operate with elevated privileges, with 9% disclosing sensitive data and 16% exposing critical components without safeguards.

AppWizard

October 3, 2025

New Android Spyware Targeting Users by Imitating Signal and ToTok Apps

ESET researchers have identified two Android spyware campaigns targeting users in the UAE, disguised as messaging applications Signal and ToTok. The first spyware family, Android/Spy.ProSpy, poses as upgrades for these apps, while the second, Android/Spy.ToSpy, specifically targets ToTok users. Both malware families were not found on official app stores and were distributed through phishing websites. The ProSpy campaign, active since 2024, uses deceptive sites to offer malicious APK files as enhancements. The ToSpy campaign, identified since mid-2022, targets ToTok backup files and has ongoing operations. Both spyware types collect extensive data, including contacts and SMS messages, and maintain persistent background operations. Google Play Protect offers some defense against these threats, and users are advised to avoid unofficial app installations.

AppWizard

October 2, 2025

Android spyware disguised as legitimate messaging apps targets UAE victims, researchers reveal

Cybersecurity researchers have discovered two families of Android spyware that impersonate messaging applications Signal and ToTok, linked to campaigns named ProSpy and ToSpy. ToTok was discontinued in 2020 after being identified as a surveillance tool for the UAE government, but the spyware is disguised as an enhanced version called ToTok Pro. The spyware requests extensive permissions upon installation and exfiltrates sensitive data. It was distributed through third-party websites posing as legitimate services, with confirmed detections in the UAE, indicating a targeted operation. The spyware campaigns primarily aim at privacy-conscious residents in the UAE, as suggested by the domain name ending in “ae.net.”

AppWizard

October 2, 2025

Researchers uncover spyware targeting messaging app users in the UAE

Recent investigations by cybersecurity firm ESET revealed that new spyware campaigns in the UAE are targeting messaging apps. Two Android spyware campaigns, named ProSpy and ToSpy, are disguised as popular communication tools—Signal and ToTok. These spyware programs infiltrate devices through deceptive websites and unofficial app stores, enabling the theft of sensitive data such as files, contacts, and chat backups. The spyware reloads legitimate apps to create an illusion of authenticity. ESET identified command-and-control servers indicating that the ToSpy campaign is still active, and these spyware-laden apps can only be installed manually via third-party websites. The ToSpy malware was detected in June, with origins traced back to 2022, while the ProSpy campaign was also identified in June, potentially starting in 2024. Both campaigns utilize malicious Android Application Packages (APKs) disguised as enhancements to original applications.

AppWizard

October 2, 2025

Signal Messenger Impersonated in ‘ProSpy’ Android Spyware Campaign

ESET researchers have identified two Android spyware campaigns, ProSpy and ToSpy, which masquerade as secure messaging apps, Signal and ToTok. These malware families were first detected in June 2025 and are distributed through phishing websites and fake app marketplaces. ProSpy, which mimics a “Signal encryption plugin” or an enhanced ToTok, extracts sensitive user information, including SMS messages, contacts, and device metadata, after gaining permissions. It disguises itself as “Play Services” to avoid detection. ToSpy, discovered concurrently, seeks to capture specific files related to ToTok backups and collects various document types. Both malware types maintain long-term access to infected devices and have been reported to Google, resulting in Play Protect blocking their known variants. The main targets of these campaigns are users in the United Arab Emirates.

AppWizard

October 2, 2025

ESET Research discovers new spyware posing as messaging apps targeting users in the UAE

ESET Research has identified two new families of Android spyware: Android/Spy.ProSpy and Android/Spy.ToSpy. These malware campaigns target users of secure communication apps, specifically Signal and ToTok, and are distributed through deceptive websites and social engineering, primarily focusing on residents of the United Arab Emirates (UAE). Android/Spy.ProSpy pretends to be upgrades for the Signal and ToTok apps, while Android/Spy.ToSpy targets ToTok users exclusively. Both spyware families require manual installation from unofficial sources, as they are not available in official app stores. The ProSpy campaign was first noted in June 2025 but is believed to have been active since 2024, using misleading websites to distribute malicious APKs. ESET's findings indicate that the ToSpy campaigns are still ongoing, with command and control servers still operational. The spyware collects sensitive data, including contacts, SMS messages, and files, once installed. Users are advised to be cautious when downloading apps from unofficial sources and to avoid enabling installations from unknown origins.

AppWizard

October 2, 2025

Warning: Beware of Android Spyware Disguised as Signal Encryption Plugin and ToTok Pro

Cybersecurity researchers have identified two Android spyware campaigns, ProSpy and ToSpy, targeting users in the United Arab Emirates by impersonating popular applications like Signal and ToTok. These malicious applications are distributed through deceptive websites and social engineering tactics, requiring manual installation from third-party sites. The ProSpy campaign, active since 2024, uses misleading sites to host compromised APK files marketed as upgrades to Signal and ToTok. The ToSpy campaign, initiated around June 30, 2022, also employs counterfeit sites to deliver malware. Both spyware variants aim to steal sensitive data, including contacts, SMS messages, and files. The ProSpy app, ToTok Pro, contains a button that redirects users to the legitimate ToTok download page, while the Signal Encryption Plugin misleads users into downloading the genuine app. Both spyware types exfiltrate data before user interaction and maintain persistence through a foreground service and Android's AlarmManager. ESET is tracking these campaigns separately due to their different delivery methods, and the identities of those behind the activities remain unknown. Users are advised to be cautious when downloading apps from unofficial sources.

AppWizard

October 2, 2025

ProSpy and ToSpy: New spyware families impersonating secure messaging apps

ESET researchers have identified two Android spyware campaigns, Android/Spy.ProSpy and Android/Spy.ToSpy, targeting users of secure messaging apps like Signal and ToTok. These spyware families are distributed through deceptive websites and social engineering tactics, requiring manual installation from unofficial sources. The ProSpy campaign, operational since 2024, uses fraudulent websites to distribute malicious APKs disguised as a Signal Encryption Plugin and ToTok Pro, particularly targeting users in the UAE. The ToSpy campaign, discovered in June 2025, also targets users in the UAE, utilizing fake distribution sites impersonating the ToTok app. Both spyware types request access to contacts, SMS messages, and files, exfiltrating sensitive data in the background. ESET advises users to be cautious when downloading apps from unofficial sources.

Tech Optimizer

August 25, 2025

New Android Spyware Masquerading as Antivirus Targets Business Executives

Doctor Web’s antivirus laboratory has identified a sophisticated Android backdoor malware named Android.Backdoor.916.origin, which has been evolving since January 2025. This spyware primarily targets Russian businesses through focused attacks, disseminated via private messages as a fake antivirus application called “GuardCB.” The app's icon resembles the Central Bank of the Russian Federation's emblem and is presented in Russian. Variants of the malware include names like “SECURITY_FSB” and “FSB,” falsely claiming to be security tools linked to Russian law enforcement. Upon execution, the malware simulates an antivirus scan, requesting extensive system permissions for surveillance and data exfiltration, including access to geolocation, audio recording, SMS, contacts, call logs, media files, and camera functions. It establishes connections to command-and-control servers, allowing attackers to send and receive sensitive data, initiate audio and video feeds, and execute commands. The malware employs keylogger functionality to intercept keystrokes and monitor specific applications for content theft. Doctor Web has notified domain registrars to disrupt the malware's infrastructure and confirms that all known variants are detected and neutralized by their antivirus solutions. Organizations are advised to enforce strict APK sideloading policies and verify app authenticity to counter such threats.