Fake Signal and ToTok apps spy on UAE Android users

ESET researchers uncovered two Android spyware operations abusing trust in secure messaging apps to target users in the United Arab Emirates. The campaigns deploy malicious lookalikes of Signal and ToTok to steal sensitive data and maintain stealthy, persistent access.

Key takeaways

• Two new spyware families identified: Android/Spy.ProSpy and Android/Spy.ToSpy
• ProSpy impersonates Signal (as a fake "Signal Encryption Plugin") and a "ToTok Pro" upgrade; ToSpy impersonates ToTok only
• Targets include contacts, SMS (ProSpy), installed apps (ProSpy), and broad file types, including ToTok backup files (.ttkmbackup)
• Distribution via phishing sites and fake app stores; no presence in official app stores
• Activity, domains, and C2 infrastructure indicate a UAE-focused, ongoing operation
• Google Play Protect blocks known variants by default on devices with Google Play Services

ProSpy: Fake Signal plugin and ToTok Pro

• Delivery: Phishing sites host malicious APKs posing as a Signal add-on and a ToTok "Pro" version, requiring users to enable installs from unknown sources.
• Deception: After grant of permissions, the fake Signal plugin launches the real Signal app and even renames its launcher to "Play Services" to hide in plain sight. The ToTok Pro variant opens the real ToTok download page and later launches the legitimate app to look authentic.
• Data theft: Collects device info (including IP), installed apps, contacts, SMS, and files across audio, documents, archives, images, and video.
• Persistence: Uses a foreground service, AlarmManager restarts, and BOOT_COMPLETED receiver to survive reboots and keep exfiltrating data.

ToSpy: Long-running ToTok impersonation

• Timeline: Evidence points to activity beginning in mid-2022, with multiple samples signed by the same developer certificate and active domains/C2 at publication time.
• Delivery: Phishing pages impersonate legitimate app portals, including a site mimicking Samsung Galaxy Store, to push malicious ToTok APKs.
• Behavior: Requests contacts and storage access, phones home for commands, checks for updates via hardcoded URL, and prompts manual installs of new builds.
• Targets: Exfiltrates contacts, device info, and files with extensions such as .pdf, .docx, .jpg, .mp3, and notably .ttkmbackup (ToTok backups) — signaling interest in chats/app data.
• Crypto and C2: Encrypts stolen data using AES-CBC with a hardcoded key and sends it to C2 over HTTPS.

Who is at risk

• Users in the UAE (and nearby regions) seeking ToTok from unofficial sources
• Signal users lured by a fake "encryption plugin" and ToTok users tempted by a "Pro" version

How to protect yourself

• Install apps only from official stores; avoid enabling "Install unknown apps" for messaging tools and plugins.
• Be skeptical of add-ons or "Pro" versions of secure apps; Signal does not require third-party plugins.
• Verify app publisher names, website domains, and permissions requested.
• Keep Google Play Protect enabled; it blocks known samples discovered in these campaigns.

Research notes

• Both families rely on social engineering, stealthy app masquerading, and straightforward but effective persistence.
• IoCs and sample lists are available via ESET’s GitHub; techniques map to MITRE ATT&CK for Mobile (e.g., phishing for initial access, file discovery and collection, foreground persistence, AES-encrypted exfiltration over HTTPS).

Attribution remains unclear, but infrastructure and targeting strongly suggest a regionally focused operation still in progress.

Source: WeLiveSecurity