Two new Android spyware families — ProSpy and ToSpy — target users of Signal and ToTok through fake app stores and phishing campaigns.
Cybersecurity firm ESET Research has discovered two previously undocumented Android spyware campaigns targeting privacy-conscious users in the UAE. The newly identified malware families, dubbed Android/Spy.ProSpy and Android/Spy.ToSpy, impersonate popular messaging apps Signal and ToTok, tricking users into installing malicious versions via fake app stores and phishing websites.
According to Lukáš Štefanko, the ESET researcher who uncovered the campaign, “Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services.” One of the malicious sites even mimicked the Samsung Galaxy Store, luring users into downloading a fake ToTok app.
Once installed, the spyware maintains persistence and continuously exfiltrates sensitive information — including contacts, chat backups, media files, and device data — from compromised Android devices. ESET’s telemetry confirmed multiple detections within the UAE, suggesting a regionally focused operation with strategic delivery methods.
ESET discovered that ProSpy has been active since 2024, distributed through websites mimicking Signal and ToTok that promote fake APKs like “Signal Encryption Plugin” and “ToTok Pro.” The ToSpy campaign, on the other hand, focuses exclusively on ToTok users and has been active since at least mid-2022. ToSpy leverages the discontinued but still-popular ToTok brand — which was previously removed from Google Play and Apple’s App Store over surveillance concerns — to reach users likely to trust and install the fake updates.
Štefanko cautioned users to remain vigilant: “Avoid downloading apps or add-ons from unofficial sources, and never enable installation from unknown origins. Such deceptive campaigns specifically exploit users’ trust in familiar apps.”
A detailed technical analysis of both spyware families is available on ESET’s WeLiveSecurity.com.
