ESET has identified two previously undocumented Android spyware families – Android/Spy.ProSpy and Android/Spy.ToSpy, that target users in the United Arab Emirates (UAE) by masquerading as secure messaging apps like Signal and ToTok. These campaigns distribute malware via deceptive websites and rely on social engineering, manual installation, and persistent access to exfiltrate sensitive user data.
Severity: High
Threat Details
- Malware Families
- Android/Spy.ProSpy: Impersonates “Signal Encryption Plugin” and “ToTok Pro.”
- Android/Spy.ToSpy: Masquerades as a legitimate ToTok application.
- Infection Vectors and Distribution
- Delivered through phishing websites mimicking legitimate Signal and ToTok websites or app stores (like a fake Samsung Galaxy Store).
- Malware distributed as APK files, requiring manual installation from unknown sources and permission grants (such as contacts, SMS, storage).
- Persistence: Once installed and granted permissions, the spyware maintains persistence and continuous operation through a Foreground Service with persistent notifications, an Alarm Manager to restart the service if killed, and a BroadcastReceiver to relaunch services upon device boot.
- Data Exfiltration: Both ProSpy and ToSpy are designed to continually and silently exfiltrate sensitive data and files from compromised Android devices.
| Data Category | ProSpy | ToSpy | Details |
| Contacts | Yes | Yes | Harvests names, phone numbers, and other contact metadata. |
| SMS Messages | Yes | No | Collects all accessible SMS messages. |
| File Harvesting | Yes | Yes | Searches for and exfiltrates files based on MIME types/extensions, including Audio, Documents, Archives, Images, and Videos. |
| Chat Backups | Yes | Yes | Specifically targets files with the .ttkmbackup extension, which stores ToTok data backups, suggesting interest in chat history. |
| Device Info | Yes | Yes | Extracts hardware, OS details, and public IP address. |
| Installed Apps | Yes | No | Collects a list of all installed applications. |
MITRE ATT&CK
| Tactic | Technique | ID |
| Initial Access | Phishing | T1660 |
| Execution | Scheduled Task/Job | T1603 |
| Persistence | Boot or Logon Initialization Scripts | T1398 |
| Foreground Persistence | T1541 | |
| Discovery | File and Directory Discovery | T1420 |
| Software Discovery | T1418 | |
| System Information Discovery | T1426 | |
| Collection | Data from Local System | T1533 |
| Protected User Data: Contact List | T1636.003 | |
| Protected User Data: SMS Messages | T1636.004 | |
| Command and Control | Standard Cryptographic Protocol: Symmetric Cryptography | T1521.001 |
| Exfiltration | Exfiltration Over C2 Channel | T1646 |
Recommendations
- Install apps exclusively from the Google Play Store or other legitimate trusted sources (like Samsung Galaxy Store).
- Ensure that the setting that allows installation of apps from “Unknown Sources” (or “Install unknown apps”) is disabled in your device settings.
- Ensure “Play Protect” feature is enabled in the Google Play Store app to detect and block known spyware.
- Regularly install the latest Android security updates and app updates. These updates often contain patches for vulnerabilities that malware might exploit.
- Be extremely suspicious of any pop-ups, websites, or messages offering “Pro,” “Encryption Plugin,” or “Enhanced” versions of popular apps like Signal or ToTok, especially if they require downloading an APK file outside the official app store.
- Before confirming installation, carefully review the permissions an app requests.
- Periodically review the permissions granted to all your apps. Revoke unnecessary or excessive access from third-party apps, particularly access to the camera, microphone, SMS, and storage.
- Use Mobile Threat Defense (MTD) or Mobile Device Management (MDM) platforms with application whitelisting and behavioral monitoring.
- Warn users that even familiar-looking sites (e.g., fake Galaxy Store) can host malicious APKs.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/743edd49baee6a622aaefe7a0e5b66873c9608b3fd99ca4d1bfc376d95e61f54/iocs
Source:
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.
