Android spyware Archives

AppWizard

June 6, 2026

Android Spyware Asin Targets Arabic Users via Fake News, PDF and War Map Apps

Arabic-speaking users are the target of a new Android spyware called Asin, identified by ESET in early 2025. The malware is distributed through fraudulent websites that mimic legitimate services, including: - govlens[.]net, registered on May 27, 2025, impersonating a government news source. - pdf-reader[.]help, registered on May 29, 2025, claiming to be a secure PDF editor. - live-war-map[.]com, registered on January 20, 2025, providing updates on military incidents. Two of these domains are promoted via social media accounts on Facebook and Telegram. The spyware combines legitimate functionality with covert capabilities, and its campaigns may target journalists and OSINT researchers in Arabic-speaking regions. Artifacts linked to Asin include an upload to VirusTotal from Türkiye in October 2025, an APK downloaded from c-pdf[.]net in December 2025, and a sample disguised as "Syria Defense Map" detected in January 2026. Users must manually install the applications and grant permissions for the spyware to operate.

AppWizard

April 29, 2026

New Android spyware Morpheus linked to Italian surveillance firm

Morpheus is a new spyware identified by the nonprofit organization Osservatorio Nessuno, which spreads through counterfeit Android applications that appear as legitimate updates. Attackers use SMS messages to direct victims to a fraudulent website mimicking an Internet Service Provider (ISP). The spyware installs a dropper app that deploys a concealed payload, which disguises itself as legitimate system components and manipulates users into granting dangerous permissions, including Accessibility access. Once granted, Morpheus initiates a Permission Workflow that creates a fake update overlay, disabling the touchscreen to prevent user interaction. It ensures persistence by restarting after device reboots and can request device administrator privileges. The spyware exploits overlay windows and Accessibility features to gain control of the device and bypass security measures, including disabling antivirus solutions without requiring root access. Analysis suggests Morpheus has Italian origins, with connections to an Italian firm, IPS Intelligence, known for lawful interception technologies. The spyware is capable of invasive actions such as recording audio and video, linking to WhatsApp, and compromising device security. The report highlights a network of dubious companies and shared contacts linked to the spyware's distribution.

AppWizard

March 12, 2026

Fake Red Alert app used in Android spyware smishing

Acronis' Threat Research Unit has discovered a targeted campaign against Android users involving a counterfeit version of Israel's Red Alert rocket warning app that distributes spyware. The malicious software is spread through SMS messages that appear to be official communications from the Home Front Command, prompting users to download an "update." The fraudulent app mimics the legitimate safety tool, maintaining its rocket alert functionality to avoid detection. Once installed, the spyware collects sensitive data such as SMS messages, contacts, location information, device accounts, and a list of installed applications. This tactic, termed "smishing," combines SMS and phishing techniques. The malware uses sophisticated methods like certificate spoofing and runtime manipulation to bypass Android's signature checks, and it consists of a loader and a secondary component that executes the real alert application while the spyware operates in the background. The spyware monitors user permissions and can harvest SMS messages, contacts, and location data, adjusting its behavior based on the user's geographical position. It sends collected data to a remote command-and-control server, with the exfiltration endpoint identified as ra-backup[.]com. Acronis suggests this campaign may be linked to the group Arid Viper (APT-C-23), known for targeting Israeli interests with trojanized Android applications. Researchers recommend users only download apps from official sources, avoid sideloading packages from SMS links, and review app permissions carefully. They advise checking for the package name com.red.alertx on devices and performing a factory reset if found, along with changing credentials for any accessed accounts.

Tech Optimizer

October 17, 2025

Android Spyware Threats Surge 147% in 2025: Protect Your Device Now

Android users are facing sophisticated spyware threats, specifically two strains known as ProSpy and ToSpy, which disguise themselves as legitimate applications like updates for Signal and ToTok. These malware types evade detection and steal sensitive information such as messages, contacts, and location data by requesting innocuous permissions. In 2025, spyware detections increased by 147%, with attackers mimicking financial tools and system updates. Google plans to implement a policy requiring app registration to verified developers in 2026 to combat these threats. Experts recommend downloading apps only from the Google Play Store, enabling Play Protect, and using reputable antivirus software. Vigilance against unofficial sources is crucial for protecting personal and professional data. New threats like ClayRat are emerging, further complicating the security landscape.

AppWizard

October 9, 2025

New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps

A sophisticated Android spyware campaign called ClayRat is targeting users in Russia through Telegram channels and deceptive phishing websites that mimic popular applications like WhatsApp and TikTok. Once activated, ClayRat can exfiltrate sensitive data such as SMS messages and call logs, access device information, take photos, and send messages or make calls from the victim's device. It propagates by sending malicious links to all contacts in the victim's phone book. Over the past 90 days, Zimperium has identified over 600 samples and 50 droppers of ClayRat, which uses advanced obfuscation techniques to evade detection. The malware redirects users to fraudulent websites leading to Telegram channels, where they are lured into downloading APK files. Some samples function as droppers, displaying counterfeit Play Store update screens while concealing the actual payload. Once installed, ClayRat communicates with its command-and-control infrastructure and can capture sensitive content, making infected devices automated distribution nodes. Additionally, a study by researchers from the University of Luxembourg and Université Cheikh Anta Diop found that pre-installed applications on budget Android smartphones sold in Africa operate with elevated privileges, with 9% disclosing sensitive data and 16% exposing critical components without safeguards.

AppWizard

October 3, 2025

New Android Spyware Targeting Users by Imitating Signal and ToTok Apps

ESET researchers have identified two Android spyware campaigns targeting users in the UAE, disguised as messaging applications Signal and ToTok. The first spyware family, Android/Spy.ProSpy, poses as upgrades for these apps, while the second, Android/Spy.ToSpy, specifically targets ToTok users. Both malware families were not found on official app stores and were distributed through phishing websites. The ProSpy campaign, active since 2024, uses deceptive sites to offer malicious APK files as enhancements. The ToSpy campaign, identified since mid-2022, targets ToTok backup files and has ongoing operations. Both spyware types collect extensive data, including contacts and SMS messages, and maintain persistent background operations. Google Play Protect offers some defense against these threats, and users are advised to avoid unofficial app installations.

AppWizard

October 2, 2025

Android spyware disguised as legitimate messaging apps targets UAE victims, researchers reveal

Cybersecurity researchers have discovered two families of Android spyware that impersonate messaging applications Signal and ToTok, linked to campaigns named ProSpy and ToSpy. ToTok was discontinued in 2020 after being identified as a surveillance tool for the UAE government, but the spyware is disguised as an enhanced version called ToTok Pro. The spyware requests extensive permissions upon installation and exfiltrates sensitive data. It was distributed through third-party websites posing as legitimate services, with confirmed detections in the UAE, indicating a targeted operation. The spyware campaigns primarily aim at privacy-conscious residents in the UAE, as suggested by the domain name ending in “ae.net.”

AppWizard

October 2, 2025

Researchers uncover spyware targeting messaging app users in the UAE

Recent investigations by cybersecurity firm ESET revealed that new spyware campaigns in the UAE are targeting messaging apps. Two Android spyware campaigns, named ProSpy and ToSpy, are disguised as popular communication tools—Signal and ToTok. These spyware programs infiltrate devices through deceptive websites and unofficial app stores, enabling the theft of sensitive data such as files, contacts, and chat backups. The spyware reloads legitimate apps to create an illusion of authenticity. ESET identified command-and-control servers indicating that the ToSpy campaign is still active, and these spyware-laden apps can only be installed manually via third-party websites. The ToSpy malware was detected in June, with origins traced back to 2022, while the ProSpy campaign was also identified in June, potentially starting in 2024. Both campaigns utilize malicious Android Application Packages (APKs) disguised as enhancements to original applications.

AppWizard

October 2, 2025

Signal Messenger Impersonated in ‘ProSpy’ Android Spyware Campaign

ESET researchers have identified two Android spyware campaigns, ProSpy and ToSpy, which masquerade as secure messaging apps, Signal and ToTok. These malware families were first detected in June 2025 and are distributed through phishing websites and fake app marketplaces. ProSpy, which mimics a “Signal encryption plugin” or an enhanced ToTok, extracts sensitive user information, including SMS messages, contacts, and device metadata, after gaining permissions. It disguises itself as “Play Services” to avoid detection. ToSpy, discovered concurrently, seeks to capture specific files related to ToTok backups and collects various document types. Both malware types maintain long-term access to infected devices and have been reported to Google, resulting in Play Protect blocking their known variants. The main targets of these campaigns are users in the United Arab Emirates.

AppWizard

October 2, 2025

ESET Research discovers new spyware posing as messaging apps targeting users in the UAE

ESET Research has identified two new families of Android spyware: Android/Spy.ProSpy and Android/Spy.ToSpy. These malware campaigns target users of secure communication apps, specifically Signal and ToTok, and are distributed through deceptive websites and social engineering, primarily focusing on residents of the United Arab Emirates (UAE). Android/Spy.ProSpy pretends to be upgrades for the Signal and ToTok apps, while Android/Spy.ToSpy targets ToTok users exclusively. Both spyware families require manual installation from unofficial sources, as they are not available in official app stores. The ProSpy campaign was first noted in June 2025 but is believed to have been active since 2024, using misleading websites to distribute malicious APKs. ESET's findings indicate that the ToSpy campaigns are still ongoing, with command and control servers still operational. The spyware collects sensitive data, including contacts, SMS messages, and files, once installed. Users are advised to be cautious when downloading apps from unofficial sources and to avoid enabling installations from unknown origins.