ESET Unveils Android Spyware Campaigns Targeting Secure Communication App Users
Recently, ESET researchers have uncovered two Android spyware campaigns that specifically target individuals interested in secure communication apps like Signal and ToTok. These campaigns utilize deceptive websites and social engineering tactics and seem to be focused on residents of the United Arab Emirates (UAE).
Through our investigation, we identified two previously unknown spyware families – Android/Spy.ProSpy, which poses as upgrades or plugins for Signal and ToTok messaging apps, and Android/Spy.ToSpy, which impersonates the ToTok app.
Interestingly, neither of the spyware-containing apps were found on official app stores; instead, they required manual installation from third-party websites masquerading as legitimate services. One of the websites distributing the ToSpy malware family even imitated the Samsung Galaxy Store to deceive users into downloading a malicious version of the ToTok app.
Once installed, both spyware families establish persistence on compromised Android devices and continuously extract sensitive data and files. Notably, ToSpy targets the “.ttkmbackup” file extension used for storing ToTok data backups, indicating a specific interest in extracting chat history or app data. The ToSpy campaigns are still active, as evidenced by the continued operation of their C&C servers.
As a partner of the App Defense Alliance, we promptly shared our findings with Google. Android users are automatically safeguarded against known versions of this spyware thanks to Google Play Protect, which comes enabled by default on Android devices with Google Play Services.
Summary of Key Points:
- We have unveiled two previously undiscovered Android spyware families: Android/Spy.ProSpy and Android/Spy.ToSpy.
- ProSpy pretends to be both Signal and ToTok, while ToSpy exclusively targets ToTok users.
- Both spyware families aim to extract user data, including documents, media, files, contacts, and chat backups.
- Confirmed detections in the UAE, along with the use of phishing and fake app stores, indicate regionally targeted operations with strategic delivery mechanisms.
ProSpy Campaign Details
The ProSpy campaign was first observed in June 2025, but we suspect it has been active since 2024.
Our investigation revealed that ProSpy was being spread through three deceptive websites that impersonated the communication platforms Signal and ToTok. These sites offered malicious APKs disguised as enhancements, labeled as Signal Encryption Plugin and ToTok Pro.
Initial Distribution Channels
Signal Encryption Plugin
In June 2025, we identified two Android spyware samples masquerading as the (nonexistent, legitimate) Signal Encryption Plugin app. These samples were distributed via phishing through two dedicated websites (https://signal.ct[.]ws and https://encryption-plug-in-signal.com-ae[.]net), as shown in Figure 1. The malicious app was only available in the form of an Android app that required users to allow manual installation from unknown sources.

Although the samples were distributed via different domains, they shared the same malicious code. The use of a domain ending in “ae.net” suggests that the campaign may be targeting individuals in the UAE, as “AE” is the country code for the UAE.
ToTok Pro
Further investigation uncovered five additional malicious APKs using the same spyware codebase, posing as an upgraded version of the ToTok messaging app called ToTok Pro. One of the samples was initially distributed through a fake website with the URL https://totok-pro[.]io/totok_pro_release_v2_8_8_10330.apk. The distribution methods for the other four samples remain unknown.

ToTok, a messaging and calling app developed in the UAE, was removed from Google Play and Apple’s App Store in December 2019 due to surveillance concerns. Given that its user base primarily resides in the UAE, we suspect that ToTok Pro is targeting users in this region who may be more inclined to download the app from unofficial sources.
Execution Process

Upon execution, both malicious apps request permissions to access contacts, SMS messages, and stored files on the device. Once granted, ProSpy initiates data exfiltration in the background. The following steps are taken to make the apps appear legitimate and prevent their uninstallation.
ToTok Pro Spyware
When the ToTok Pro app is launched, it displays a Welcome to ToTok Pro screen that closely resembles the legitimate ToTok app’s onboarding process, as shown in Figure 4.

This screen features a CONTINUE button, which, when pressed, opens the official ToTok download page in the browser, suggesting that the user download and install the authentic ToTok app. This redirection is intended to reinforce the appearance of legitimacy. Subsequent launches of the malicious ToTok Pro app will instead open the genuine ToTok app, effectively concealing the spyware’s presence. However, the user will still see both apps installed on the device (ToTok and ToTok Pro, as depicted in Figure 5), which could raise suspicion.

Signal Encryption Plugin Spyware
Upon launching the Signal Encryption Plugin app, an ENABLE button is displayed to proceed. Pressing the button opens the legitimate Signal app. If the app is not installed, a request is sent to open a genuine signal.org link in the browser, as shown in Figure 6. Users can then download and install the Signal app from there.


Contrary to ToTok Pro, once Signal Encryption Plugin is executed and all requested permissions are enabled, its app icon and name on the device home screen change to Play Services. This is achieved by using activity-alias defined in AndroidManifest.xml that acts as an alternative entry point for an existing activity. Instead of creating a new activity, a developer can create an alias with its own icon and label (the label shown on the home screen). The key to changing the app’s appearance is that an app can have multiple aliases defined in its manifest, but only one can be the active launcher at a time. By programmatically enabling a new alias and disabling the old one, the app can change its icon and name on the home screen without reinstalling or updating.

Once the user taps the Play Services icon, it opens the App info screen of a legitimate Google Play Services app.
The second active domain initiated the download of the ToSpy app after the user clicked on OK, as depicted in Figure 13.
Upon execution, the malicious ToTok app requested permissions to access contacts and device storage, misleadingly stating that these permissions were necessary for the app to function correctly. These permissions were crucial for ToSpy to operate, granting it access to sensitive data.
After receiving permissions, the malware sent the compromised device information to the C&C server and awaited further instructions. Upon receiving the command to proceed, ToSpy began data exfiltration.
The app also checked for the availability of an updated version of the spyware by sending a request to https://spiralkey[.]co/totok_update/totokversion.php.
If a newer version was found, the app tried to download it from the hardcoded link https://spiralkey[.]co/totok_update/totok_pro.apk. The user was then prompted to manually install the downloaded APK (Figure 16).
During our analysis, we were unable to retrieve the file from this link, preventing us from confirming whether it was an updated version of the spyware or a different malicious payload.
Similarly to ProSpy, ToSpy included tactics to deceive the victim into believing the malware was a legitimate app. If the official ToTok app was not installed on the device, ToSpy attempted to redirect the user to the Huawei AppGallery (Figure 17), suggesting the official ToTok app download. However, the app no longer seemed available in the app store, potentially causing confusion for the user.
If the official ToTok app was already installed, every time the malicious app was launched, it displayed a Checking for update screen before seamlessly launching the official ToTok app, masking its malicious activities. After the device reboots, the spyware automatically restarts its background services, ensuring it remains active without the need for user interaction. These tactics may not be highly advanced, but they are effective in maintaining the spyware’s continuous operation, maximizing data theft opportunities, and keeping the user unaware of its presence.
In conclusion, we have identified two Android spyware campaigns targeting users in the UAE – Android/Spy.ProSpy and Android/Spy.ToSpy. Both campaigns use similar tactics such as impersonating legitimate apps, employing social engineering techniques, requiring manual installation, running persistent background services, and having extensive data exfiltration capabilities. Despite these similarities, we track them separately due to differences in their delivery methods and infrastructure.
ProSpy is spread through fake add-ons and plugins for Signal and ToTok, while ToSpy only mimics the ToTok messaging app. The ToSpy campaign is still active, with ongoing distribution domains and C&C servers, although attribution remains uncertain.
Users are advised to be cautious when downloading apps from unofficial sources and to avoid enabling installations from unknown sources. They should also be wary of installing apps or add-ons from outside official app stores, especially those claiming to enhance trusted services.
For any inquiries about our research on WeLiveSecurity, please contact us at threatintel@eset.com. ESET Research provides private APT intelligence reports and data feeds. sentence: “The quick brown fox jumps over the lazy dog.”
Rewritten sentence: “The fast brown fox leaps over the relaxed dog.” sentence: “The cat jumped onto the counter and knocked over a vase.”
The cat leaped onto the counter and caused a vase to fall over. Rewrite the sentence:
“The cat chased the mouse around the house.”
“The mouse was chased around the house by the cat.”
