Android Spyware Campaigns Impersonate Signal and ToTok in UAE: ProSpy and ToSpy Analysis

Android Spyware Campaigns Impersonate Signal and ToTok in UAE: ProSpy and ToSpy Analysis

Alex Cipher's Profile Pictire Alex Cipher 4 min read

Android users in the United Arab Emirates (UAE) recently found themselves at the center of a sophisticated cyber-espionage campaign. Cybersecurity researchers at ESET uncovered two major spyware operations—ProSpy and ToSpy—masquerading as the trusted messaging apps Signal and ToTok. These campaigns cleverly exploited the popularity and credibility of these platforms, distributing malicious APKs through convincing fake websites that mimicked official download pages. The attackers’ tactics included registering domains and developer certificates as early as 2022, and leveraging techniques like BOOT_COMPLETED broadcast registration to ensure persistence on infected devices. The campaigns’ focus on the UAE is no coincidence, given ToTok’s controversial history in the region and Signal’s global reputation for privacy. The result: a potent threat to user privacy and security, with the potential for widespread data theft and surveillance (BleepingComputer, 2025).

The ProSpy and ToSpy Campaigns: Discovery and Analysis

Origins and Development

The ProSpy and ToSpy campaigns represent a sophisticated attempt to exploit Android users by impersonating popular messaging applications, Signal and ToTok. The campaigns were discovered by researchers at ESET, a cybersecurity company, who identified these threats in June 2025. However, evidence suggests that the ToSpy campaign may have originated as far back as 2022. This assertion is supported by the discovery of a developer certificate created on May 24, 2022, and a domain used for distribution and command-and-control (C2) registered on May 18, 2022. Additionally, samples related to the campaign were uploaded to the VirusTotal scanning platform on June 30, 2022 (BleepingComputer).

Techniques and Tactics

The operators of the ProSpy and ToSpy campaigns employed a variety of techniques to avoid detection and maintain persistence on infected devices. One notable tactic was the use of fake websites that closely resembled the official download pages for Signal and ToTok. For instance, the malicious APK files were distributed through websites such as https://signal.ct[.]ws and https://encryption-plug-in-signal.com-ae[.]net/, which impersonated the official Signal website. Similarly, fake pages mimicking the Samsung Galaxy Store were used, including store.latestversion[.]ai and https://store.appupdate[.]ai (BleepingComputer).

To further enhance their stealth, the spyware registered to receive BOOT_COMPLETED broadcast events, allowing it to restart upon device reboot without user interaction. This ensured that the spyware remained active even after the device was restarted, making it harder for users to detect and remove the threat (BleepingComputer).

Targeted Regions and Demographics

The primary targets of the ProSpy and ToSpy campaigns were users in the United Arab Emirates (UAE). This focus is likely due to the popularity of ToTok in the region, despite its controversial history. ToTok, developed by the UAE-based artificial intelligence company G42, was removed from the Apple and Google app stores in 2019 following allegations of being a spying tool for the UAE government. Despite these allegations, ToTok remains available for download from its official website and third-party app stores (BleepingComputer).

Impact and Consequences

The impact of the ProSpy and ToSpy campaigns is significant, as they have the potential to compromise the privacy and security of a large number of Android users. By impersonating trusted messaging applications, the campaigns can lure users into downloading malicious software that can steal sensitive data. Signal, for instance, is a popular end-to-end encrypted messenger with over 100 million downloads on Google Play, making it an attractive target for cybercriminals seeking to harvest personal information (BleepingComputer).

Mitigation and Recommendations

To protect against threats like ProSpy and ToSpy, Android users are advised to download apps only from official or trusted repositories, such as the Google Play Store, or directly from the publisher’s website. Additionally, keeping the Play Protect service active on devices can help disable known threats. ESET has shared a comprehensive list of indicators of compromise (IoCs) associated with these campaigns, which can aid in the detection and removal of the spyware (BleepingComputer).

In conclusion, the ProSpy and ToSpy campaigns highlight the ongoing threat posed by sophisticated spyware targeting popular applications. By understanding the tactics and techniques used by these campaigns, users can take proactive steps to protect their devices and personal information from compromise.

Final Thoughts

The ProSpy and ToSpy campaigns serve as a stark reminder that even the most trusted apps can be weaponized by cybercriminals. By impersonating Signal and ToTok, attackers exploited both user trust and regional app preferences, demonstrating the evolving sophistication of mobile threats. For users, the lesson is clear: always verify app sources, stick to official stores, and stay informed about emerging threats. As spyware campaigns grow more cunning, proactive defense—like enabling Play Protect and monitoring for indicators of compromise—remains essential. For a deeper dive into the technical details and mitigation strategies, check out the full report by ESET and coverage from BleepingComputer.

References

Related Articles