391/68 Wednesday, October 8, 2025
Researchers from ESET have issued a warning to Android smartphone users in the United Arab Emirates (UAE) after discovering a spyware campaign disguised as the popular messaging apps Signal and ToTok. The spyware is distributed as APK files that victims are tricked into installing manually from fake websites and third-party download sources. These malicious sites mimic the look and branding of the legitimate services to deceive users into installing the apps.
The malware consists of two families:
- ProSpy (Android/Spy.ProSpy) – disguised as a fake Signal plugin and a “ToTok Pro Add-on.”
- ToSpy (Android/Spy.ToSpy) – impersonating the ToTok app directly.
Both spyware variants are capable of stealing a wide range of data, including device information, SMS messages, contact lists, installed app lists, files, and even chat backups. ToSpy is specifically designed to target ToTok backup files to extract complete conversation histories and transmit them to the attackers’ Command & Control (C2) servers.
ESET noted that this threat is not new, with samples dating back to mid-2022 and active servers still operating in 2025. A significant risk is that some fake app versions change their name and icon to Google Play Services after installation, making them harder for users to detect and remove.
Researchers advise users to only download apps from official app stores, disable installations from unknown sources, and keep Google Play Protect enabled. Google has since updated Play Protect to automatically block these spyware families on supported Android devices.
Source https://hackread.com/spyware-fake-signal-totok-apps-uae-android-users/
