If you happen to use messaging apps within the United Arab Emirates (UAE), cybersecurity researchers at ESET have recognized two cell spy ware campaigns that trick customers into putting in pretend variations of Sign and ToTok, then steal private information, together with contacts, messages, backups, information, and extra from contaminated units.
One malware pressure, referred to as, referred to as ProSpy (Android/Spy.ProSpy), was provided as a pretend Sign “encryption plugin” and as a ToTok Professional add-on. The opposite, ToSpy (Android/Spy.ToSpy), impersonates ToTok itself. Neither app seems in official app shops; victims should manually set up APK information from cloned web sites or third-party pages designed to seem like authentic companies.
Sign, as we all know, is a well-liked encrypted messaging app. ToTok, however, has a controversial historical past. As reported by Hackread.com in December 2019, ToTok was a UAE-developed messaging app accused of spying on customers within the nation, which led Apple and Google to take away it from their shops. At the moment, the app is offered solely via unreliable third-party sources.
The malware rip-off is an ideal instance of a social engineering assault utilizing folks’s belief in recognised manufacturers, copying their logos, onboarding screens and retailer layouts. In accordance with ESET’s lengthy technical weblog put up, in some instances, the pretend Sign app even adjustments its icon and title to seem like Google Play Companies after setup, which makes it more durable for customers to identify and take away.
When the spy ware runs, it asks for permissions that many apps legitimately want, like contacts and storage entry. If granted, the spy ware collects system particulars, SMS messages, contact lists, put in app lists, and information, together with chat backups.
ToSpy was noticed concentrating on ToTok backup information specifically, which suggests the attackers are occupied with chat historical past. All collected information is encrypted with a hardcoded AES key, then despatched to command and management servers.
ESET’s analysis reveals that this isn’t a brand new operation. The corporate’s telemetry and area information hint samples again so far as mid-2022, with ongoing exercise and energetic C&C servers detected in 2025.
To scale back threat, customers ought to follow official app shops, keep away from enabling set up from unknown sources, and hold Google Play Defend turned on if their system helps it. ESET has shared its findings with Google, and Play Defend now blocks recognized variants of those spy ware households by default on Android units with Google Play Companies.
