Android Spyware Campaigns Masquerade as Signal ToTok Target UAE Users

Researchers at ESET have uncovered two previously unknown Android spyware campaigns named ProSpy and ToSpy that impersonate the secure messaging apps Signal and ToTok to steal sensitive data from users. These campaigns rely on fake websites and social engineering, distributing malicious APKs outside official app stores, primarily targeting users in the United Arab Emirates (UAE). ProSpy masquerades as a Signal encryption plugin or a Pro version of ToTok, while ToSpy exclusively imitates ToTok, which despite being removed from Google Play and Apple App Store in 2019 due to surveillance concerns, remains popular in the UAE. The spyware requests access to contacts, SMS, and files, exfiltrating data continuously while disguising itself as legitimate system apps to maintain persistence and avoid detection. The campaigns leverage the regional popularity of ToTok and mimic trusted platforms, including the Samsung Galaxy Store, to trick users into manual installation. Evidence suggests that ProSpy has been active since at least 2024, and ToSpy since 2022, highlighting a long-term, regionally focused operation exploiting the unique app ecosystem in the UAE.