Two New Spyware Families Targeting Android Users in the UAE

Published Date: November 4, 2025
Category: ShadowOpsIntel
Share:

ESET has identified two previously undocumented Android spyware families – Android/Spy.ProSpy and Android/Spy.ToSpy, that target users in the United Arab Emirates (UAE) by masquerading as secure messaging apps like Signal and ToTok. These campaigns distribute malware via deceptive websites and rely on social engineering, manual installation, and persistent access to exfiltrate sensitive user data.

Severity: High

Threat Details

  • Malware Families
    • Android/Spy.ProSpy: Impersonates “Signal Encryption Plugin” and “ToTok Pro.”
    • Android/Spy.ToSpy: Masquerades as a legitimate ToTok application.
  • Infection Vectors and Distribution
    • Delivered through phishing websites mimicking legitimate Signal and ToTok websites or app stores (like a fake Samsung Galaxy Store).
    • Malware distributed as APK files, requiring manual installation from unknown sources and permission grants (such as contacts, SMS, storage).
  • Persistence: Once installed and granted permissions, the spyware maintains persistence and continuous operation through a Foreground Service with persistent notifications, an Alarm Manager to restart the service if killed, and a BroadcastReceiver to relaunch services upon device boot.
  • Data Exfiltration: Both ProSpy and ToSpy are designed to continually and silently exfiltrate sensitive data and files from compromised Android devices.
Data CategoryProSpyToSpyDetails
ContactsYesYesHarvests names, phone numbers, and other contact metadata.
SMS MessagesYesNoCollects all accessible SMS messages.
File HarvestingYesYesSearches for and exfiltrates files based on MIME types/extensions, including Audio, Documents, Archives, Images, and Videos.
Chat BackupsYesYesSpecifically targets files with the .ttkmbackup extension, which stores ToTok data backups, suggesting interest in chat history.
Device InfoYesYesExtracts hardware, OS details, and public IP address.
Installed AppsYesNoCollects a list of all installed applications.

MITRE ATT&CK

TacticTechniqueID
Initial AccessPhishingT1660
ExecutionScheduled Task/JobT1603
PersistenceBoot or Logon Initialization ScriptsT1398
Foreground PersistenceT1541
DiscoveryFile and Directory DiscoveryT1420
Software DiscoveryT1418
System Information DiscoveryT1426
CollectionData from Local SystemT1533
Protected User Data: Contact ListT1636.003
Protected User Data: SMS MessagesT1636.004
Command and ControlStandard Cryptographic Protocol: Symmetric CryptographyT1521.001
ExfiltrationExfiltration Over C2 ChannelT1646

Recommendations

  1. Install apps exclusively from the Google Play Store or other legitimate trusted sources (like Samsung Galaxy Store).
  2. Ensure that the setting that allows installation of apps from “Unknown Sources” (or “Install unknown apps”) is disabled in your device settings.
  3. Ensure “Play Protect” feature is enabled in the Google Play Store app to detect and block known spyware.
  4. Regularly install the latest Android security updates and app updates. These updates often contain patches for vulnerabilities that malware might exploit.
  5. Be extremely suspicious of any pop-ups, websites, or messages offering “Pro,” “Encryption Plugin,” or “Enhanced” versions of popular apps like Signal or ToTok, especially if they require downloading an APK file outside the official app store.
  6. Before confirming installation, carefully review the permissions an app requests.
  7. Periodically review the permissions granted to all your apps. Revoke unnecessary or excessive access from third-party apps, particularly access to the camera, microphone, SMS, and storage.
  8. Use Mobile Threat Defense (MTD) or Mobile Device Management (MDM) platforms with application whitelisting and behavioral monitoring.
  9. Warn users that even familiar-looking sites (e.g., fake Galaxy Store) can host malicious APKs.
  10. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/743edd49baee6a622aaefe7a0e5b66873c9608b3fd99ca4d1bfc376d95e61f54/iocs

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.