"Slovak cybersecurity company ESET said the malicious apps are distributed via fake websites and social engineering to trick unsuspecting users into downloading them. Once installed, both the spyware malware strains establish persistent access to compromised Android devices and exfiltrate data. "Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services," ESET researcher Lukáš Štefanko said. Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app."
"The ProSpy campaign, discovered in June 2025, is believed to have been ongoing since 2024, leveraging deceptive websites masquerading as Signal and ToTok to host booby-trapped APK files that claim to be upgrades to the respective apps, namely Signal Encryption Plugin and ToTok Pro. The use of ToTok as a lure is no coincidence, as the app was removed from Google Play and Apple App Store in December 2019 due to concerns that it acted as a spying tool for the U.A.E. government, harvesting users' conversations, locations, and other data."
Two Android spyware campaigns named ProSpy and ToSpy impersonate messaging apps to target users in the United Arab Emirates. Malicious APKs are hosted on deceptive third-party websites and distributed through social engineering and manual sideloading rather than official app stores. Once installed, the spyware establishes persistent access, requests permissions for contacts, SMS, and file access, and exfiltrates device information and user data. One distribution site mimicked the Samsung Galaxy Store and presented booby-trapped APKs as upgrades such as Signal Encryption Plugin and ToTok Pro. The campaigns exploit ToTok's prior removal from app stores as a convincing lure.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]