Attackers are abusing the reputation of a locally trusted messaging app to distribute Android spyware across the UAE.
Researchers at ESET have uncovered two families of mobile spyware—ToSpy and ProSpy—that are being distributed as fake “Pro” editions of the ToTok app. ToTok, developed by G42 and promoted in the UAE as a secure local messaging and VoIP service, has long held cultural traction in the country. That local trust, combined with the app’s continued availability outside Google Play, appears to have made it an attractive cover for copycat spyware campaigns.
How the deception works
Both ToSpy and ProSpy are pushed through English-language phishing sites that present the malware as an enhanced version of ToTok. Users who sideload these apps on Android receive Google’s standard warning about installing apps from unknown sources — the same warning their legitimate ToTok download would trigger when installed outside of the Play Store. That parity makes the warning less likely to deter victims.
Once installed, the malicious apps request a broad set of invasive permissions. If granted, the malware exfiltrates sensitive data — including device metadata, contacts, SMS histories, and a range of files (audio, video, documents, archives) — to attacker-controlled servers. ProSpy has also been observed attempting to impersonate Signal in some campaigns.
A campaign built on plausibility
ESET’s Lukáš Štefanko notes the malware families are not technically advanced — they lack sophisticated obfuscation or memory-only execution — but that simplicity can be an asset. On poorly protected devices, straightforward malware can be highly effective, especially when the social engineering is convincing. The malicious apps also perpetuate the ruse by launching legitimate apps (or redirecting users to download them), which helps maintain the illusion of authenticity while data is siphoned in the background.
Timeline and scale
ESET’s telemetry ties ProSpy activity to at least 2024 and ToSpy to 2022. Little is publicly known about the campaign operators or specific victim profiles beyond the country of origin, but the multi-year span indicates a sustained effort.
Why ToTok became convenient cover
ToTok’s popularity in the UAE and its distribution channels are key enablers. After a 2019 controversy, ToTok was removed from major app stores, yet it continued to circulate via the vendor’s website and alternate app stores (Samsung, Huawei, etc.). Because legitimate users are accustomed to obtaining the app outside Google Play, the environment is ripe for convincing imitations and phishing funnels that mimic official downloads or third-party stores.
Takeaway
The campaigns leveraging ToTok’s brand underscore a familiar pattern: social engineering plus plausible technical behavior can make even unsophisticated spyware effective. Users should avoid installing apps from unverified sources, scrutinize download sites, and adopt protections such as Play Protect, application whitelisting, and device-level monitoring to limit exposure.
Would you like a shorter news-style blurb for social sharing, or a technical summary tailored for sysadmins/security teams (indicators of compromise, recommended detections and mitigations)?