ESET Research discovers new spyware posing as messaging apps targeting users in the UAE

• ESET Analysis has uncovered two beforehand undocumented Android adware households, which ESET has named Android/Spy.ProSpy and Android/Spy.ToSpy.
• ProSpy impersonates each Sign and ToTok, whereas ToSpy targets ToTok customers solely.
• Each malware households goal to exfiltrate person information, together with paperwork, media, information, contacts, and chat backups.
• Confirmed detections within the UAE and the usage of each phishing and pretend app shops counsel regionally targeted operations with strategic supply mechanisms.

MONTREAL and BRATISLAVA, Slovakia, Oct. 02, 2025 (GLOBE NEWSWIRE) — ESET researchers have uncovered two Android adware campaigns focusing on people all in favour of safe communication apps, particularly Sign and ToTok. These campaigns distribute malware by way of misleading web sites and social engineering and seem to focus on residents of the United Arab Emirates (UAE). ESET’s investigation led to the invention of two beforehand undocumented adware households: Android/Spy.ProSpy impersonates upgrades or plugins for the Sign app and the controversial and discontinued ToTok app, and Android/Spy.ToSpy impersonates the ToTok app. The ToSpy campaigns are ongoing, as advised by C&C servers that stay lively.

“Neither app containing the adware was obtainable in official app shops; each required handbook set up from third-party web sites posing as legit companies,” explains ESET researcher Lukáš Štefanko, who made the invention. “Notably, one of many web sites distributing the ToSpy malware household mimicked the Samsung Galaxy Retailer, luring customers into manually downloading and putting in a malicious model of the ToTok app. As soon as put in, each adware households keep persistence and regularly exfiltrate delicate information and information from compromised Android units. Confirmed detections within the UAE and the usage of phishing and pretend app shops counsel regionally targeted operations with strategic supply mechanisms.”

ESET Analysis found the ProSpy marketing campaign in June 2025, and it has possible been ongoing since 2024. ProSpy is being distributed by way of three misleading web sites designed to impersonate communication platforms Sign and ToTok. These websites supply malicious APKs posing as enhancements, disguised as a Sign Encryption Plugin and ToTok Professional. Using a site title ending within the substring ae.internet might counsel that the marketing campaign targets people residing within the United Arab Emirates, as AE is the two-letter nation code for the UAE.

Throughout the investigation, ESET found 5 extra malicious APKs utilizing the identical adware codebase, posing as an enhanced model of the ToTok messaging app underneath the title ToTok Professional. ToTok, a controversial free messaging and calling app developed within the United Arab Emirates, was faraway from Google Play and Apple’s App Retailer in December 2019 due to surveillance concerns. On condition that its person base is primarily positioned within the UAE, it’s possible that ToTok Professional could also be focusing on customers on this area, who could also be extra liable to obtain the app from unofficial sources in their very own area.

Upon execution, each malicious apps request permissions to entry contacts, SMS messages, and information saved on the system. If these permissions are granted, ProSpy begins exfiltrating information within the background. The Sign Encryption Plugin extracts system info, saved SMS messages, and the contact checklist, and it exfiltrates different information – comparable to chat backups, audio, video, and pictures.

In June 2025, ESET telemetry methods flagged one other beforehand undocumented Android adware household actively distributed within the wild, originating from a tool positioned within the UAE. ESET labeled the malware Android/Spy.ToSpy. Later investigation revealed 4 misleading distribution web sites impersonating the ToTok app. Given the app’s regional reputation and the impersonation ways utilized by the risk actors, it’s cheap to take a position that the first targets of this adware marketing campaign are customers within the UAE or surrounding areas. Within the background, the adware can gather and exfiltrate the next information: person contacts, system info information comparable to chat backups, pictures, paperwork, audio, and video, amongst others. ESET findings counsel that the ToSpy marketing campaign possible started in mid-2022.

“Customers ought to stay vigilant when downloading apps from unofficial sources and keep away from enabling set up from unknown origins, in addition to when putting in apps or add-ons outdoors of official app shops, particularly these claiming to boost trusted companies,” advises Štefanko.

For a extra detailed evaluation and technical breakdown of Android/Spy.ProSpy and Android/Spy.ToSpy, try the newest ESET Analysis weblog put up, “New spyware campaigns target privacy-conscious Android users in the UAE” on WeLiveSecurity.com. Be sure that to observe ESET Analysis on Twitter (today known as X), Bluesky, and Mastodon for the newest information from ESET Analysis.

About ESET

ESET^® gives cutting-edge cybersecurity to stop assaults earlier than they occur. By combining the facility of AI and human experience, ESET stays forward of rising international cyberthreats, each identified and unknown — securing companies, important infrastructure, and people. Whether or not it’s endpoint, cloud, or cell safety, our AI-native, cloud-first options and companies stay extremely efficient and straightforward to make use of. ESET know-how consists of strong detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time protection and powerful native assist, we maintain customers secure and companies operating with out interruption. The ever-evolving digital panorama calls for a progressive strategy to safety: ESET is dedicated to world-class analysis and highly effective risk intelligence, backed by R&D facilities and a robust international accomplice community. For extra info, go to http://www.eset.com or observe our social media, podcasts, and blogs.