Android spyware masquerading as Signal encryption plugins

Cybersecurity researchers have identified two Android spyware campaigns, named ProSpy and ToSpy, which impersonate popular applications like Signal and ToTok to target users in the United Arab Emirates (U.A.E.). Slovak cybersecurity firm ESET reported that these malicious apps are distributed through deceptive websites and social engineering tactics, tricking unsuspecting users into downloading them. Once installed, both spyware strains establish persistent access to compromised Android devices, allowing them to exfiltrate sensitive data. Notably, neither app was available in official app stores; users were required to manually install them from third-party websites masquerading as legitimate services. ESET researcher Lukáš Štefanko highlighted that one of the websites distributing the ToSpy malware mimicked the Samsung Galaxy Store, enticing users to download a malicious version of the ToTok app.

The ProSpy campaign, discovered in June 2025, is believed to have been active since 2024, utilising deceptive websites that impersonate Signal and ToTok to host booby-trapped APK files. These files claim to be upgrades, such as the Signal Encryption Plugin and ToTok Pro. The choice of ToTok as a lure is significant, as the app was removed from Google Play and the Apple App Store in December 2019 due to concerns about its use as a spying tool for the U.A.E. government. The developers of ToTok have since claimed that the removal was an attack against their company. The rogue ProSpy apps request permissions to access contacts, SMS messages, and files, while also exfiltrating device information. ESET’s telemetry has also flagged the ongoing ToSpy campaign, which began on June 30, 2022, and targets users in the same region. This campaign leverages fake sites impersonating ToTok to deliver malware, focusing on stealing sensitive data, media, contacts, and chat backups.