Cybersecurity researchers have identified two sophisticated Android spyware campaigns, named ProSpy and ToSpy, that are impersonating the Signal and ToTok messaging applications to steal sensitive user data1. These campaigns primarily target users in the United Arab Emirates (UAE) by luring them to fake third-party websites, including one mimicking the Samsung Galaxy Store, to download malicious applications that require manual installation2. The discovery, reported in October 2025, highlights a persistent threat to users of secure communication platforms and the risks associated with sideloading applications from unofficial sources.
Executive Summary for Security Leadership
Two distinct Android spyware families, ProSpy and ToSpy, are actively targeting users through deceptive websites posing as legitimate app stores and offering fake upgrades for trusted messaging applications. The campaigns leverage the regional popularity of the ToTok app and the global reputation of Signal to trick users into installing malicious software. These spyware families are capable of exfiltrating a wide range of sensitive data, including contacts, SMS messages, and device files, while employing advanced persistence mechanisms to remain active on compromised devices. The strategic choice of lures and the technical sophistication of these campaigns necessitate increased user awareness and technical controls within enterprise environments.
- Threat: ProSpy and ToSpy Android spyware families.
- Vector: Sideloaded APKs from fake third-party app stores and websites.
- Lures: Impersonation of Signal (“Signal Encryption Plugin”) and ToTok (“ToTok Pro” or the ToTok app itself).
- Primary Target: Users in the United Arab Emirates (UAE).
- Key Capabilities: Data theft (contacts, SMS, files), persistence via Foreground Services and Boot Receivers.
- Status: Google Play Protect is now blocking known variants1.
Campaign Analysis: ProSpy and ToSpy
The ProSpy campaign, tracked as `Android/Spy.ProSpy`, has been active since at least 20241. It deceives users by posing as a “Signal Encryption Plugin” or an enhanced version of ToTok called “ToTok Pro.” After installation, the application changes its icon to mimic “Google Play Services” to hide its presence on the device. It further creates an illusion of legitimacy by featuring buttons that redirect the user to official app stores, all while exfiltrating data in the background. The ToSpy campaign, identified as `Android/Spy.ToSpy`, is believed to have begun in mid-2022 and was confirmed as still active as of October 20251. This malware poses as the ToTok application itself and performs checks for the official ToTok app. Depending on the outcome, it either redirects the user to download the legitimate application or seamlessly launches it after displaying a fake update screen, effectively masking its malicious background processes.
Technical Capabilities and Data Exfiltration
Both spyware families share a core set of functionalities designed for stealth and long-term access to victim devices. They utilize multiple Android persistence mechanisms, including Foreground Services, the AlarmManager API, and Boot Receivers, to ensure the malware remains active and automatically restarts after a device reboot1. The scope of data theft is comprehensive, targeting the device’s contact list, SMS messages, installed applications list, and general device information. Furthermore, the malware searches for and exfiltrates specific files from the device’s storage, including chat backups, images, audio, video, and documents. The ToSpy variant specifically targets `.ttkmbackup` files, which are backup files created by the ToTok application1. Data exfiltrated by ToSpy is encrypted using the AES algorithm in CBC mode with a hardcoded key before being sent to a command-and-control server.
The Strategic Use of ToTok as a Lure
The selection of ToTok as a primary lure is a strategically calculated move by the threat actors. ToTok is a UAE-developed messaging application that was removed from major app stores in 2019 following allegations it was used for government surveillance2. Its continued popularity in the region and its primary distribution method through sideloading have normalized the process of installing applications outside of official stores. This creates a uniquely effective deception, as noted by Dark Reading, where spyware is masquerading as an application that was itself alleged to be spyware2. This context makes the malicious apps appear more credible to the target audience, increasing the likelihood of successful infection.
Broader Threat Landscape and Malvertising
The targeting of secure communication platforms is part of a wider, persistent trend. In February 2025, the Google Threat Intelligence Group reported increasing efforts from several Russia-aligned threat actors to compromise Signal Messenger accounts, underscoring the high value these platforms represent to adversaries3. Concurrently, the commercial spyware market continues to fuel these threats. A report from SC Media in February 2025 identified the Italian vendor SIO as the creator of Spyrtacus, a spyware distributed disguised as popular Android applications4. This indicates that the tools required to conduct such campaigns are readily available from a growing merchant ecosystem. Separately, Bitdefender researchers have documented a massive global malvertising operation abusing Facebook Ads that has expanded from targeting Windows users to distributing Android banking trojans, demonstrating a parallel and evolving threat vector5.
Mitigation and Protection Strategies
Organizations and individuals can adopt several measures to defend against these and similar threats. The primary recommendation from security researchers is to avoid sideloading applications and to strictly use official app stores like Google Play, which offer additional security scanning15. Users should also be wary of advertisements, even on trusted platforms like Facebook, and carefully check URLs for lookalike domains. A critical security practice is to review application permissions critically before granting them. As stated by Lukáš Štefanko, an ESET researcher, “Users should remain vigilant when downloading apps from unofficial sources and avoid enabling installation from unknown origins, as well as when installing apps or add-ons outside of official app stores, especially those claiming to enhance trusted services”1. The use of a reputable mobile security solution can provide an additional layer of detection and blocking for these threats.
The discovery of the ProSpy and ToSpy campaigns serves as a stark reminder of the ongoing threats targeting mobile devices, particularly through social engineering and application impersonation. The technical capabilities of these spyware families, combined with their strategic use of lures that exploit regional application usage and trust, make them a significant risk. For security professionals, this reinforces the need for continuous user education on the dangers of sideloading and the importance of implementing technical controls that can detect and prevent such attacks. The fact that these campaigns are part of a larger ecosystem involving commercial spyware and malvertising indicates that the mobile threat landscape will continue to evolve in complexity.
