Privacy-conscious Android users in the United Arab Emirates are being targeted by sophisticated spyware campaigns disguised as secure messaging apps, according to new research from ESET security researchers.
The campaign distributes two previously undocumented malware families—ProSpy and ToSpy—through convincing fake websites impersonating Signal's encryption plugins and ToTok messaging upgrades. Neither malicious app appears in official app stores, instead relying on deceptive third-party sites, including one mimicking Samsung's Galaxy Store.
Once installed, both spyware variants immediately request access to contacts, SMS messages, and device storage. The malware then cleverly redirects users to download legitimate versions of Signal or ToTok, creating an illusion of authenticity while secretly operating in the background.
ProSpy, discovered in June 2025 but likely active since 2024, masquerades as "Signal Encryption Plugin" and "ToTok Pro." After installation, it changes its icon to appear as "Play Services," making detection difficult for average users.
ToSpy, active since at least mid-2022, specifically targets ToTok users by stealing .ttkmbackup files—the app's chat backup format—suggesting attackers are after communication history. The spyware exfiltrates documents, photos, videos, contacts, and SMS messages using AES encryption before sending data to command-and-control servers that remain operational.
"These campaigns demonstrate sophisticated social engineering targeting users who specifically seek secure communication tools," the researchers noted. The attacks appear regionally focused on UAE residents, exploiting ToTok's removal from official app stores in 2019 over surveillance concerns.
Google Play Protect automatically blocks known versions of this spyware on devices with Google Play Services. However, users should never download apps from unofficial sources or enable "install from unknown sources" in their Android settings.