The campaigns use fake websites and social engineering to spread malware, with evidence pointing to a primary focus on UAE residents.
ESET researchers have uncovered two previously unknown Android spyware campaigns that target individuals seeking secure communication apps, specifically Signal and ToTok.
The campaigns rely on deceptive websites and social engineering tactics to distribute malware, with ESET evidence suggesting a primary focus on residents of the United Arab Emirates.
“Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services,” explains ESET researcher Lukáš Štefanko, who made the discovery. “Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app. Once installed, both spyware families maintain persistence and continually exfiltrate sensitive data and files from compromised Android devices. Confirmed detections in the UAE and the use of phishing and fake app stores suggest regionally focused operations with strategic delivery mechanisms.”
ESET identified the ProSpy campaign in June 2025, though indicators suggest it has been active since the previous year. Distributed via three deceptive domains impersonating Signal and ToTok, ProSpy was disguised as “Signal Encryption Plugin” and “ToTok Pro.” A domain ending in ae.net appears to reinforce the campaign’s UAE targeting.
In addition, ESET uncovered five more malicious APKs built on the same codebase, also posing as “ToTok Pro.” Given ToTok’s controversial history — removed from official app stores in December 2019 due to surveillance concerns — its strong UAE user base may make individuals there more likely to download rogue versions from unofficial sources.
Once installed, ProSpy requests access to contacts, SMS messages, and stored files. If granted, it exfiltrates data including device information, text messages, chat backups, images, audio, and videos.
In parallel, ESET telemetry flagged Android/Spy.ToSpy in June 2025 on a device located in the UAE. Researchers linked it to four websites impersonating ToTok, with evidence suggesting the campaign began in mid-2022. Once active, ToSpy covertly harvests contacts, device details, chat backups, images, documents, audio, and video.
“Users should remain vigilant when downloading apps from unofficial sources and avoid enabling installation from unknown origins, as well as when installing apps or add-ons outside of official app stores, especially those claiming to enhance trusted services,” advises Štefanko.
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
