Cybersecurity researchers at ESET reported two mobile spyware campaigns targeting Android users in the United Arab Emirates that trick victims into installing fake versions of Signal and ToTok and then steal personal data.
ESET said one malware strain, tracked as ProSpy (Android/Spy.ProSpy), was offered as a fake Signal “encryption plugin” and as a ToTok Pro add-on, while a second strain, ToSpy (Android/Spy.ToSpy), impersonates ToTok itself. Neither app appears in official app stores; victims must manually install APK files from cloned websites or third‑party pages designed to look like legitimate services.
The article noted that ToTok has a controversial history: according to reporting in December 2019 it was a UAE‑developed messaging app accused of spying on users and was removed from Apple and Google stores, and it is now available only through unreliable third‑party sources.
ESET described the campaigns as social engineering operations that copy brand elements such as logos, onboarding screens and store layouts to gain trust. In its technical blog post, ESET said that in some cases the fake Signal app even changes its icon and name to look like Google Play Services after setup, which can make the apps harder to spot and remove.
When the spyware runs it requests permissions commonly used by legitimate apps, and if granted it collects device details, SMS messages, contact lists, installed app lists and files including chat backups. ESET said ToSpy was observed targeting ToTok backup files in particular. Collected data is encrypted with a hardcoded AES key and sent to command‑and‑control servers, the company reported.
ESET’s telemetry and domain data trace samples back to mid‑2022, with ongoing activity and active command‑and‑control servers detected in 2025, the article said. ESET shared its findings with Google and, according to the report, Play Protect now blocks known variants of these spyware families on Android devices that use Google Play Services. ESET recommended that users stick to official app stores, avoid enabling installation from unknown sources and keep Google Play Protect turned on when available.