New Android Spyware Families Target Privacy-Conscious Users in UAE via Fake Signal and ToTok Apps
ESET researchers have uncovered two previously undocumented Android spyware families, ProSpy and ToSpy, that impersonate Signal and ToTok to steal sensitive data from users in the UAE.
ESET researchers have uncovered two Android spyware campaigns targeting individuals interested in secure communication apps, namely Signal and ToTok. These campaigns distribute malware through deceptive websites and social engineering and appear to target residents of the United Arab Emirates (UAE).
The investigation led to the discovery of two previously undocumented spyware families – Android/Spy.ProSpy, impersonating upgrades or plugins for the Signal and ToTok messaging apps; and Android/Spy.ToSpy, impersonating the ToTok app. Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services. Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app.
Once installed, both spyware families maintain persistence and continually exfiltrate sensitive data and files from compromised Android devices. Interestingly, researchers saw that ToSpy, among other file types, targets the .ttkmbackup file extension used to store ToTok data backups. This suggests an interest in the extraction of chat history or app data. The ToSpy campaigns are ongoing, as suggested by C&C servers that remain active at the time of publication.
The ProSpy campaign was discovered in June 2025 but is believed to have been active since 2024. It distributes malicious APKs through three deceptive websites impersonating Signal and ToTok, offering fake 'Signal Encryption Plugin' and 'ToTok Pro' apps. The use of a domain name ending in 'ae.net' suggests targeting of UAE residents. The ToTok Pro variant displays a welcome screen that redirects users to the official ToTok download page, masking the spyware's presence. The Signal Encryption Plugin similarly redirects to the legitimate Signal app or website.
As an App Defense Alliance partner, ESET shared findings with Google. Android users are automatically protected against known versions of this spyware by Google Play Protect, which is on by default on Android devices with Google Play Services. However, users who install apps from outside the official store remain at risk. The campaigns highlight the ongoing threat of targeted spyware against privacy-conscious individuals in specific regions.