Cybersecurity researchers uncovered two Android spyware campaigns named ProSpy and ToSpy that impersonate popular communication apps Signal and ToTok to target users in the United Arab Emirates. These campaigns distribute malicious APK files through fake websites mimicking legitimate services, including a site resembling the Samsung Galaxy Store. The spyware apps masquerade as Signal Encryption Plugin and ToTok Pro, tricking users into manual installation since they are not available on official app stores. Once installed, the spyware requests broad permissions to access contacts, SMS messages, files, and device information. It then stealthily exfiltrates this sensitive data to attackers. Both spyware families employ persistence techniques such as running foreground services with persistent notifications, using Android's AlarmManager to restart services if terminated, and launching background services automatically after device reboot. The malware also uses deceptive UI elements: for example, the ToTok Pro app shows a "CONTINUE" button redirecting users to the official app download page, and the Signal Encryption Plugin shows an "ENABLE" button that leads users to the legitimate Signal website. These tactics reinforce the illusion of legitimacy and mask the spyware's presence. The ProSpy campaign has been active since 2024, while ToSpy has been ongoing since mid-2022. The campaigns focus on stealing sensitive data, including chat backups and media files. The use of ToTok as a lure is notable because the app was previously removed from official stores amid spying allegations linked to the UAE government. Google Play Protect provides some protection by detecting known malware variants even if installed from outside the Play Store. However, the campaigns highlight the risks posed by sideloaded apps and social engineering, especially in regions with high geopolitical tensions. The attackers behind these campaigns remain unknown, and the exact number or identity of victims is unclear. The campaigns underscore the importance of cautious app installation practices and monitoring for suspicious app behavior on Android devices.

For European organizations, the direct impact of these spyware campaigns may be limited given the regional targeting of the UAE. However, the threat poses significant risks to employees traveling to or collaborating with partners in the Middle East, where infected devices could lead to data leakage of sensitive corporate information, contacts, and communications. The spyware’s ability to exfiltrate SMS, contacts, files, and chat backups could compromise confidentiality and privacy, potentially exposing business secrets or personal data. The persistence mechanisms make detection and removal challenging, increasing the risk of prolonged exposure. Additionally, the campaigns demonstrate the dangers of sideloading apps outside official stores, a practice that may be more common in certain environments or among users seeking regionally restricted apps. European organizations with mobile device management (MDM) policies that do not restrict installation from unknown sources or lack monitoring for unusual app behavior may be more vulnerable. The campaigns also highlight the need for awareness training on social engineering tactics targeting mobile users. Given the geopolitical context, espionage or surveillance motives cannot be ruled out, which could have broader implications for organizations involved in sensitive sectors or with interests in the Middle East.

European organizations should implement strict mobile device management policies that prohibit or tightly control the installation of apps from unknown sources, especially on devices used for business purposes. Deploy endpoint protection solutions capable of detecting and blocking spyware, including Google Play Protect and third-party mobile security tools with behavioral analysis. Conduct regular security awareness training emphasizing the risks of sideloading apps and recognizing social engineering tactics, particularly for employees traveling to or working with entities in the Middle East. Monitor mobile devices for unusual app behavior, such as persistent notifications from unknown apps or unexpected network activity indicative of data exfiltration. Enforce the use of official app stores for all app installations and discourage the use of unofficial or third-party app repositories. Employ network-level protections to detect and block communications with known malicious command and control servers associated with spyware campaigns. Regularly audit installed applications on corporate devices to identify and remove unauthorized or suspicious apps. Consider implementing application allowlisting to restrict which apps can run on managed devices. Finally, maintain up-to-date device firmware and security patches to reduce the attack surface and leverage built-in security features.