Two new spyware campaigns that researchers call ProSpy and ToSpy lured Android users with fake upgrades or plugins for the Signal and ToTok messaging apps to steal sensitive data.
To give the malicious files a sense of legitimacy, the threat actor distributed them through websites that impersonated the two communication platforms.
Signal is a popular end-to-end encrypted messenger with more than 100 million downloads on Google Play.
ToTok is developed by the UAE-based artificial intelligence company G42 and was kicked out from the Apple and Google app stores in 2019 after allegations of being a spying tool for the UAE government.
Currently, ToTok is available for download from its official website and third-party app stores.
Stealth and persistence
Researchers at cybersecurity company ESET discovered the ProSpy campaign in June but they believe that the activity may have started since at least 2024. Based on their analysis, the malicious campaigns are targeting users in the United Arab Emirates.
During the investigation, they discovered "two previously undocumented spyware families" that pretend to be a Signal Encryption Plugin and a Pro variant of the ToTok app, none of which exist.
The operator of the spyware campaign distributed the malicious APK files through web pages that impersonated the official Signal website (https://signal.ct[.]ws and https://encryption-plug-in-signal.com-ae[.]net/) and the Samsung Galaxy Store (store.latestversion[.]ai and https://store.appupdate[.]ai).
Fake Signal plugin website
... continue reading