Researchers uncovered two Android spyware campaigns, ProSpy and ToSpy, posing as Signal and ToTok in the UAE to steal data via fake sites.
ESET cybersecurity researchers uncovered two spyware campaigns, dubbed ProSpy and ToSpy, that target Android users in the United Arab Emirates (U.A.E.) by impersonating apps like Signal and ToTok.
The cybersecurity firm tracks the campaigns separately due to different delivery methods and infrastructure, though the malware shares similarities. At this time, it is unclear who is behind the campaigns.
Malicious apps are distributed via fake websites and social engineering tactics. Both malware are previously undocumented, and they are concealed in applications impersonating upgrades or plugins for the Signal and ToTok messaging apps. ProSpy was observed impersonating both Signal and ToTok, while ToSpy only ToTok.
“Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services. Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app.” reads the report published by ESET. “Once installed, both spyware families maintain persistence and continually exfiltrate sensitive data and files from compromised Android devices.”
The ProSpy campaign, active since 2024 and discovered in June 2025, uses fake Signal and ToTok websites to distribute malicious APKs (Signal Encryption Plugin/ToTok Pro). The malware requests access to contacts, SMS, and files, then exfiltrates sensitive device data. It primarily targets users in the UAE.
Threat actors behind this campaign target ToTok because the app was removed from Google Play and Apple App Store in December 2019 due to concerns of being a spying tool of UAE government.
The ProSpy campaign spreads Android spyware disguised as the nonexistent “Signal Encryption Plugin” app. In June 2025, researchers identified two malicious samples delivered via phishing sites requiring manual installation from unknown sources. Despite different domains, the samples share identical code. Domains ending in ae.net indicate the campaign likely targets users in the United Arab Emirates (UAE).
ESET found five malicious APKs using the same spyware as ProSpy, posing as ToTok Pro. One sample came from a fake site; the others’ distribution is unknown. Since ToTok’ is mainly used in the UAE, the campaign likely targets local users downloading unofficial apps.
“Upon execution, both malicious apps request permissions to access contacts, SMS messages, and files stored on the device. If these permissions are granted, ProSpy starts exfiltrating data in the background. The steps we describe next are taken in order for the apps to appear legitimate and prevent the victim from uninstalling them.” continues the report.
The rogue Signal Encryption Plugin and ToTok Pro apps trick users with buttons like “ENABLE” to appear legitimate. Once permissions are granted, spyware secretly steals device info, SMS, contacts, files, and installed apps. ToSpy further misleads users, redirecting them to official app sources if the real ToTok app is missing.
If the app is already installed on the device, the spyware fakes update screens on installed ToTok apps while secretly stealing contacts, files, device info, and backups.
The ToSpy campaign, first detected in June 2025, is an Android spyware family impersonating the ToTok app, primarily targeting users in the UAE. Researchers found six samples with the same malicious codebase and developer certificate, traced back to mid-2022, indicating a long-running operation. Distribution relied on phishing sites mimicking legitimate app stores, including a fake Galaxy Store. Two of the malicious domains remained active at the time of analysis, and several C2 servers were still online, confirming that the campaign is still ongoing.
The spyware in both campaigns maintains persistence by running a foreground service with a persistent notification, using AlarmManager to auto-restart if killed, and registering for BOOT_COMPLETED to relaunch after reboot. These tactics are simple and keep the malware active for continuous data theft while minimizing user awareness.
“We identified two distinct Android spyware campaigns – Android/Spy.ProSpy and Android/Spy.ToSpy – targeting users in the UAE and sharing common traits such as impersonation of legitimate apps, use of social engineering, manual installation, persistent background services, and broad data exfiltration capabilities. Despite these similarities, we track them separately due to differences in delivery methods and infrastructure.” concludes the report.
“Users should remain vigilant when downloading apps from unofficial sources and avoid enabling installation from unknown origins, as well as when installing apps or add-ons outside of official app stores, especially those claiming to enhance trusted services.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
