Two new spyware operations, dubbed ProSpy and ToSpy, have been discovered luring Android users with fake updates and plugins for the Signal and ToTok messaging apps to steal sensitive data.
Targeting and Distribution
The malicious campaigns are targeting users primarily in the United Arab Emirates (UAE). To appear legitimate, the threat actor distributed the spyware through fraudulent websites that closely impersonated the official Signal and ToTok platforms. ToTok, developed by the UAE-based company G42, was previously removed from app stores over spying allegations but is currently available through its official site and third-party stores.
Researchers at ESET identified the campaigns, which they believe may have started as early as 2022 for ToSpy and 2024 for ProSpy. The campaigns use two previously unknown spyware families disguised as a "Signal Encryption Plugin" and a "ToTok Pro" variant, neither of which actually exists.
Spyware Functionality and Stealth
When executed, both malware families request permissions typical of messenger apps, such as access to contacts, SMS, and files. Once active on a device, the spyware aggressively exfiltrates the following data:
- Device information Hardware, operating system, and IP address.
- Stored SMS texts and contact lists.
- Files Audio, documents, images, and videos.
- ToTok backup files.
- List of installed applications.
To avoid detection, the ProSpy malware, disguised as the Signal plugin, uses the 'Play Services' icon and label. Tapping the icon simply opens the information screen for the legitimate Google Play Services app. Similarly, when the ToSpy malware is opened, it launches the real ToTok app to avoid arousing user suspicion.
Persistence Mechanisms
Both spyware families employ three sophisticated methods to maintain persistence on infected devices:
- Abusing the 'AlarmManager' This Android system API is used to automatically restart the malware if the system kills its process.
- Using a foreground service A persistent notification keeps the process running as a high-priority service.
- Registering for BOOT_COMPLETED events This allows the spyware to restart automatically after a device reboot without any user interaction.
While attribution for the attacks remains inconclusive, Android users are strongly advised to download apps only from official or trusted repositories and keep the Play Protect service active to disable known threats.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
