- Two Android spyware campaigns named ProSpy and ToSpy target users in the United Arab Emirates (U.A.E.) by impersonating popular apps Signal and ToTok.
- The malicious apps are distributed through fake websites and social engineering, requiring manual installation outside official app stores.
- The spyware steals sensitive data, including contacts, messages, files, and device information.
- ESET researchers found ProSpy active since 2024 and ToSpy from mid-2022, both using deceptive tactics to mask spyware activity by linking victims to legitimate app downloads.
- Users are advised to avoid installing apps from unofficial sources and enabling unknown installations to reduce infection risk.
Cybersecurity researchers from ESET uncovered two Android spyware campaigns called ProSpy and ToSpy that impersonate messaging apps Signal and ToTok to target users in the United Arab Emirates. These malicious apps bypass official app stores and are manually installed via deceptive third-party websites. The spyware gains persistent access to compromised devices and extracts private data.
The ProSpy campaign, detected in June 2025 and believed to have started in 2024, uses fake websites mimicking Signal and ToTok to deliver booby-trapped APK files named Signal Encryption Plugin and ToTok Pro. According to ESET researcher Lukáš Štefanko, “Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services.” One counterfeit site even impersonated the Samsung Galaxy Store to spread the ToSpy Malware.
Both spyware types request permissions to access contacts, SMS messages, files, and device details. Once installed, they run background services to stay active, restarting automatically if terminated and launching on device reboot. Before victims interact with buttons labeled “CONTINUE” or “ENABLE,” which redirect them to official app download pages, the spyware quietly steals data including files, media, contact lists, and chat backups.
ToTok was removed from Google Play and Apple‘s App Store in December 2019 amid allegations it served as a spying tool for the U.A.E. government, gathering conversations and location data. The developers denied these claims, describing the removal as an attack by market competitors. The malicious ProSpy and ToSpy apps exploit this history by impersonating ToTok to trick users.
The fake Signal Encryption Plugin changes its icon to look like Google Play Services after permission is granted, masking its presence. Both malware strains display legitimate versions of their respective apps after installation to avoid user suspicion. ESET notes the campaigns use different infrastructures but share tactics targeting data theft in the region.
Users are urged to avoid downloading apps from unofficial sources and not to enable installations from unknown origins. This caution is especially important for apps claiming to enhance trusted services. For further details, see UAE/” target=”_blank” rel=”noopener”>ESET’s report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Crypto.com to Launch DeFi-Backed Loans in Morpho Partnership
- Bitcoin Tops $119.5K, Traders See Pullback as ETF Inflows Hit $1.6B
- Elon Musk Becomes First Person With $500 Billion Net Worth
- Abu Dhabi’s MGX, T. Rowe Price Buy Shares in OpenAI $6.6B Sale
- Crypto Rallies as U.S. Shutdown Looms, Japan Yields Spike
