Researchers from ESET have recently discovered two families of spyware, identified as ProSpy and ToSpy, that impersonate popular messaging applications, Signal and ToTok, apparently targeting residents of the United Arab Emirates. Experts revealed that these malware campaigns were detected in June, although they are believed to date back to early last year.
Be very careful with what you install on your mobile
ToTok, which had been widely criticized for being a spying tool of the UAE government, was discontinued in 2020 following an investigation by the New York Times. However, the spyware is presented as an improved version of that application, called ToTok Pro. When downloading this malware, permissions are requested to access contacts, text messages, and stored files, allowing the leakage of sensitive information, including device data and multimedia content.
It is important to note that the infected applications were not available in the official app stores. Instead, manual installation from third-party sites that mimicked legitimate services was required. For example, one of these malicious sites imitated Samsung’s Galaxy Store, leading users to install fraudulent versions of the ToTok application.
The confirmed detections of this spyware in the UAE, along with the use of phishing techniques and fake app stores, suggest that attackers are carrying out strategic operations focused on this region. This is not the first time a similar phenomenon has been observed, as in the past, ESET has documented the cover-up of malware in fake app updates such as WhatsApp and on sites that pretend to offer Telegram.
According to ESET’s research, since the popularity of the ToTok app was concentrated in the UAE and considering the impersonation tactics used, it is reasonable to think that users in this region are the primary target of spyware campaigns.