ProSpy Spyware
Cybersecurity researchers have uncovered a sophisticated Android spyware campaign known as ProSpy, which specifically targets users in the United Arab Emirates (U.A.E.) by impersonating popular messaging apps such as Signal and ToTok. The campaign relies on deceptive tactics to trick users into installing malicious software, bypassing official app stores.
Table of Contents
How ProSpy Spreads
The ProSpy malware is distributed through fake websites and social engineering techniques, encouraging users to manually download and install compromised APK files. These apps are not available on legitimate app stores, making manual installation from third-party sources a requirement.
The campaign, first identified in June 2025 and believed to have been active since 2024, uses websites masquerading as Signal and ToTok to offer booby-trapped APK files. These files are misleadingly presented as upgrades, including names like Signal Encryption Plugin and ToTok Pro.
Historical Context: Why ToTok Was a Target
The use of ToTok as a lure is particularly strategic. ToTok was removed from Google Play and the Apple App Store in December 2019 amid allegations that it functioned as a surveillance tool for the U.A.E. government, collecting users' conversations, location data, and other personal information.
The developers of ToTok have consistently denied these claims, framing the app's removal as market manipulation and asserting that the software does not spy on its users.
Capabilities of the Malicious Apps
The ProSpy apps are designed to request extensive device permissions, including access to:
- Contacts
- SMS messages
- Files stored on the device
The spyware can exfiltrate sensitive data, including device information, chat backups, and lists of installed applications. Researchers have also noted the presence of another Android spyware family operating in the region at the same time, suggesting a coordinated targeting effort.
Deceptive Redirection to Mask Malicious Activity
The campaign includes clever redirection tactics that reinforce the apps' legitimacy:
ToTok Pro
- The app features a 'CONTINUE' button, which directs users to the official ToTok download page.
- Future launches of the malicious app open the legitimate ToTok app, effectively concealing the spyware.
- Users may notice two apps on their device (ToTok and ToTok Pro), which could be suspicious.
Signal Encryption Plugin
- This app includes an 'ENABLE' button that guides users to the official Signal website.
- The rogue app icon is disguised as Google Play Services after permissions are granted, further masking its presence.
- Regardless of the app, data exfiltration occurs silently before users interact with the redirection buttons, compromising contacts, messages, files, and other sensitive information.
Regional Impact and Security Implications
The ProSpy campaign highlights the risks of manually installing apps from unofficial sources and the ongoing threats targeting users in the U.A.E. Such campaigns demonstrate how cybercriminals exploit both historical controversies and trust in popular apps to infiltrate devices and steal data.
