Two Android spyware campaigns dubbed ‘ProSpy’ and ‘ToSpy’ are impersonating popular messaging apps like Signal and ToTok to infiltrate users’ devices in the United Arab Emirates (UAE).
According to Slovak cybersecurity firm ESET, which detailed the campaigns in its new report, the attacks use social engineering and fake websites mimicking legitimate app pages to trick users into manually downloading spyware-laden APK files. Once installed, the malicious apps gain persistent access and silently exfiltrate sensitive data such as contacts, SMS messages, device information, media files, and chat backups.
The malware-ladden apps don’t rely on official app stores for distribution, they need to be installed from third-party websites posing as legitimate services such as the Samsung Galaxy Store. In the latter case, the fake site distributed a tampered version of the ToTok app, which was banned from major app stores in 2019 over suspicions that it acted as a surveillance tool for the Emirati government.
The ProSpy campaign, uncovered in June 2025 but active since 2024, used fake sites that posed as Signal and ToTok download portals. The rogue apps named ‘Signal Encryption Plugin’ and ‘ToTok Pro’ requested invasive permissions and used fake buttons like “CONTINUE” or “ENABLE” to guide users toward downloading the real apps.
Once permissions are granted, the ProSpy apps impersonate legal services (Google Play Services for example), while quietly siphoning data in the background.
The ToSpy spyware campaign, active since at least mid-2022, uses similar tactics but with some differences. If the official ToTok app isn't present on the device, ToSpy redirects users to Huawei’s AppGallery to download it. If the app is already installed, it displays a fake update screen, then launches the real app to avoid suspicions, while harvesting files, contact lists, and app backups (.ttkmbackup) in the background.
Both ProSpy and ToSpy are equipped with advanced persistence techniques, including Android's AlarmManager and foreground services with persistent notifications that restart after device reboot or termination.