Fast Facts

• Fake Signal and ToTok Android apps are spreading spyware across the UAE.
• The malware, dubbed ProSpy and ToSpy, is distributed outside official app stores.
• Victims are tricked into installing these apps from cloned websites or third-party sources.
• Stolen data includes contacts, messages, backups, and device info, sent to remote servers.
• ESET traced the campaign back to mid-2022, with continued activity into 2025.

The Trojan Horse of Messaging Apps

Imagine downloading a trusted messenger, only to open the gates of your digital life to unseen thieves. That's the reality facing Android users in the United Arab Emirates, where a new wave of spyware disguised as Signal and ToTok apps is quietly siphoning off sensitive data. According to cybersecurity firm ESET, two malware strains - ProSpy and ToSpy - are behind the campaign, using the familiar faces of popular messaging apps to infiltrate victims’ phones.

The scheme is a masterclass in deception. Instead of appearing on legitimate app stores, these fakes lurk on lookalike websites and unauthorized third-party pages. Users, often seeking banned or hard-to-find apps, are coaxed into downloading an APK file - a digital Trojan horse. Once installed, the fake Signal app can even morph its icon into that of Google Play Services, camouflaging itself amid the phone’s trusted system tools.

Behind the Curtain: A Familiar Playbook

Signal, renowned for its encryption, is a lifeline for privacy-conscious users globally. ToTok, by contrast, has a murkier reputation. In 2019, reports from outlets like Hackread revealed that ToTok itself was suspected of being a state surveillance tool, leading to its removal from Apple and Google’s app stores. Yet, demand for free, unrestricted messaging in the UAE keeps ToTok’s name alive - and ripe for imitation.

By mimicking trusted brands, attackers exploit both user trust and the region’s hunger for private communication. This isn’t the first time cybercriminals have used such tactics: similar fake WhatsApp and Telegram apps have surfaced in the Middle East and beyond, often targeting dissidents, journalists, or simply the unwary. The current campaign, however, stands out for its persistence and technical polish.

How the Spyware Works

Once granted basic permissions - access to contacts, messages, storage - the spyware gets to work. It quietly gathers a trove of information: who you talk to, what you say, your files, even your chat backups. ToSpy, in particular, zeroes in on ToTok backup files, suggesting a targeted interest in message histories. The stolen data is encrypted and funneled to remote command servers, where it can be exploited or sold.

ESET’s research shows this isn’t a flash-in-the-pan operation. Artifacts date back to mid-2022, with servers still active and new victims emerging into 2025. The longevity hints at a sophisticated, possibly state-aligned group, or at least one with deep knowledge of the local tech landscape.

Staying Safe: Lessons and Warnings

For users, the lesson is clear: never install apps from unofficial sources, no matter how tempting. Keep installation from unknown sources disabled, and rely on built-in protections like Google Play Protect when available. ESET has shared its findings with Google, and known variants are now blocked by default for most Android users.

But in a region where digital freedoms are routinely policed and app choices are limited, the lure of unofficial downloads remains strong. As long as trust can be faked and privacy is at a premium, the masquerade is likely to continue.

WIKICROOK

• APK: An APK is an Android app installation file, letting users install apps outside the official Play Store. It can pose security risks if not from trusted sources.
• Spyware: Spyware is software that secretly monitors or steals information from your device without your consent, putting your privacy and data at risk.
• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• Command and Control (C&C) Server: A Command and Control (C&C) Server is a remote system that directs malware and collects stolen data from infected devices in a cyberattack.
• Encryption: Encryption transforms readable data into coded text to prevent unauthorized access, protecting sensitive information from cyber threats and prying eyes.