Beware: Spyware Poses as Signal and ToTok Messaging Apps
▼ Summary
– Two new Android spyware campaigns called ProSpy and ToSpy trick users with fake Signal plugins and ToTok upgrades to steal sensitive data.
– The spyware spreads through fraudulent websites impersonating Signal and Samsung Galaxy Store, primarily targeting UAE users.
– ProSpy malware collects device information, SMS, contacts, files, and app lists while disguising itself with a Play Services icon.
– ToSpy malware focuses on stealing documents, images, videos, and ToTok chat backups while launching the real app for stealth.
– Both spyware families maintain persistence through automatic restarts, foreground services, and boot completion triggers.
Cybersecurity experts have uncovered two sophisticated spyware operations, named ProSpy and ToSpy, that are actively deceiving Android users by posing as legitimate updates for the Signal and ToTok messaging applications. These malicious campaigns specifically target individuals in the United Arab Emirates, using counterfeit websites that closely mimic the official platforms to distribute harmful files.
Signal, a widely-used encrypted messaging service with over 100 million installations from Google Play, and ToTok, an application developed by the UAE-based AI firm G42, are both being exploited. ToTok faced removal from both Apple and Google’s official app stores back in 2019 following claims it functioned as a surveillance instrument for the UAE government. Presently, the app can be acquired through its own official site and various third-party app marketplaces.
Security analysts from ESET identified the ProSpy initiative in June, though they suspect it may have been operational since the beginning of 2024. Their investigation brought to light two previously unknown spyware families that fraudulently present themselves as a “Signal Encryption Plugin” and a “Pro version” of ToTok, neither of which are genuine offerings. The perpetrators behind these attacks circulated the harmful APK files via deceptive webpages made to look like the authentic Signal website and the Samsung Galaxy Store.
When BleepingComputer attempted to visit these fraudulent sites, most were no longer accessible, with one redirecting to the legitimate ToTok website. Once installed, the ProSpy malware requests permissions to access contacts, SMS messages, and stored files, requests that could seem normal for a messaging app. After activation, it begins siphoning off a wide array of sensitive information, including device specifics, text messages, contact lists, various file types such as audio and documents, ToTok backup files, and a complete inventory of installed applications.
To avoid detection, the fake Signal plugin adopts the ‘Play Services’ icon and name on the device’s home screen. Tapping the icon simply opens the information screen for the legitimate Google Play Service application, a clever trick to prevent raising user suspicion. If the targeted messaging app isn’t already on the device, the malware may even redirect the user to the official download source.
The ToSpy campaign appears to have been active since at least 2022, based on evidence such as a developer certificate from May of that year, domain registrations, and malware samples submitted to VirusTotal. This operation is still ongoing, with its command-and-control infrastructure remaining active. The counterfeit ToTok app urges users to grant access to contacts and storage, then proceeds to harvest documents, images, videos, and ToTok chat backups. All stolen data is encrypted using AES in CBC mode before being transmitted.
ToSpy also employs stealth tactics; if the real ToTok app is present on the device, it will launch that application when opened. If not, it attempts to open the Huawei AppGallery or a web browser so the user can download the official app, further masking its malicious activity.
Both ProSpy and ToSpy utilize three primary methods to maintain persistence on infected devices. They exploit the Android ‘AlarmManager’ system API to restart automatically if terminated, run a foreground service with a persistent notification to appear as a high-priority process, and register to receive BOOT_COMPLETED events so the spyware can reactivate following a device reboot without any user interaction.
While ESET has published a detailed list of indicators of compromise to help identify these threats, the identity of the attackers remains unknown. To protect themselves, Android users should download applications exclusively from official or trusted sources, such as the Google Play Store or the developer’s verified website. It is also crucial to keep the Play Protect service enabled, as it can automatically block known malicious software.
(Source: Bleeping Computer)
