Cybersecurity experts have revealed two dangerous Android spyware campaigns that are sweeping across the United Arab Emirates, impersonating trusted communication apps Signal and ToTok. These campaigns lure users via fake websites into sideloading malicious apps not found in any official app store, threatening personal privacy and data security.

Key Takeaways

• Sophisticated fake versions of Signal and ToTok are being distributed as "Signal Encryption Plugin" and "ToTok Pro.

• Malware campaigns utilize fake websites and social engineering, not Google Play or Apple App Stores.

• Once installed, spyware exfiltrates contacts, SMS, files, and detailed device info.

How the Malware Works

The campaigns, named ProSpy and ToSpy, use fake download pages for Signal and ToTok to persuade users to download Android APKs outside official app stores.

• The ToTok Pro variant mimics stores like the Samsung Galaxy Store, asking users to upgrade their chat apps.

• An official-looking interface tricks users into believing the application is legitimate.

• Post-installation, the malware asks for extensive permissions, including access to messages, contacts, and files.

• The malicious "Signal" app later changes its icon to look like Google Play Services, further deceiving users.

In addition, if users follow prompts inside these fake apps, they are redirected to the legitimate app’s website, completing the illusion while the spyware quietly collects data.

Persistence and Stealth Tactics

Both ProSpy and ToSpy maintain persistence on devices by:

• Running a foreground service with ongoing notifications.

• Using Android's AlarmManager to automatically restart if disabled.

• Relaunching services after device reboots.

The malware can further mask its presence: subsequent launches of the infected app bring up the genuine app, hiding the spyware’s activity though leaving two app icons visible, which might raise suspicion.

Primary Targets and Risks

These campaigns appear to be region-focused, with most victims located in the U.A.E. While the exact scope of victims is unclear, the malware’s capabilities are concerning:

• Theft of chat backups, media files, device info, contacts, and details about other installed apps.

• Sophisticated methods to avoid initial detection by mimicking normal app behavior.

How to Stay Safe

Security researchers urge users to:

1. Avoid downloading or installing apps outside the official Google Play or Apple App Store.

2. Never enable installation from unknown sources unless absolutely necessary.

3. Double-check URLs and only trust verified sources for downloading apps.

4. Stay alert for suspicious requests for extensive device permissions.

By practicing caution and using only trusted app sources, Android users can significantly lower their risk of falling for these deceptive spyware campaigns.

References

• Beware of Android Spyware Disguised as Signal Encryption Plugin and ToTok Pro, The Hacker News.