ESET researchers have uncovered two Android spyware and adware campaigns concentrating on people desirous about safe communication apps, specifically Sign and ToTok. These campaigns distribute malware by way of misleading web sites and social engineering and seem to focus on residents of the United Arab Emirates (UAE).
Our investigation led to the invention of two beforehand undocumented spyware and adware households – Android/Spy.ProSpy, impersonating upgrades or plugins for the Sign and ToTok messaging apps; and Android/Spy.ToSpy, impersonating the ToTok app.
Neither app containing the spyware and adware was accessible in official app shops; each required guide set up from third-party web sites posing as professional companies. Notably, one of many web sites distributing the ToSpy malware household mimicked the Samsung Galaxy Retailer, luring customers into manually downloading and putting in a malicious model of the ToTok app.
As soon as put in, each spyware and adware households keep persistence and regularly exfiltrate delicate knowledge and information from compromised Android units. Curiously, we noticed that ToSpy, amongst different file varieties, targets the .ttkmbackup file extension used to retailer ToTok knowledge backups. This means an curiosity within the extraction of chat historical past or app knowledge. The ToSpy campaigns are ongoing, as steered by C&C servers that stay energetic on the time of publication.
As an App Protection Alliance associate, we shared our findings with Google. Android customers are mechanically protected in opposition to recognized variations of this spyware and adware by Google Play Shield, which is on by default on Android units with Google Play Providers.
Key factors of this blogpost:
- We’ve uncovered two beforehand undocumented Android spyware and adware households: Android/Spy.ProSpy and Android/Spy.ToSpy.
- ProSpy impersonates each Sign and ToTok, whereas ToSpy targets ToTok customers solely.
- Each malware households purpose to exfiltrate person knowledge, together with paperwork, media, information, contacts, and chat backups.
- Confirmed detections within the UAE and using phishing and faux app shops recommend regionally targeted operations with strategic supply mechanisms.
ProSpy marketing campaign
We found the ProSpy marketing campaign in June 2025, however we imagine it has been ongoing since 2024.
We’ve seen ProSpy being distributed by way of three misleading web sites designed to impersonate communication platforms Sign and ToTok. These websites supply malicious APKs posing as enhancements, disguised as Sign Encryption Plugin and ToTok Professional.
Preliminary distribution vectors
Sign Encryption Plugin
In June 2025, we recognized two Android spyware and adware samples claiming to be the (nonexistent, legit) Sign Encryption Plugin app. The plugin was distributed by way of phishing utilizing two devoted web sites (https://sign.ct[.]ws and https://encryption-plug-in-signal.com-ae[.]internet/), see Determine 1, and it was accessible solely within the type of an Android app that required customers to allow guide set up from unknown sources.
Although the samples had been distributed utilizing separate domains, they shared equivalent malicious code. Using a website identify ending within the substring ae.internet might recommend that the marketing campaign targets people residing within the United Arab Emirates, as AE is the two-letter nation code for the UAE.
ToTok Professional
Increasing our analysis, we found 5 extra malicious APKs utilizing the identical spyware and adware codebase, posing as an enhanced model of the ToTok messaging app underneath the identify ToTok Professional. One of many samples that we found early on was distributed by way of a faux web site, from the URL https://totok-pro[.]io/totok_pro_release_v2_8_8_10330.apk. The distribution vectors for the remaining 4 samples stay unknown.
ToTok, a free messaging and calling app developed within the United Arab Emirates, was faraway from Google Play and Apple’s App Retailer in December 2019 because of surveillance issues. On condition that its person base is primarily positioned within the UAE, we speculate that ToTok Professional could also be concentrating on customers on this area, who could also be extra liable to obtain the app from unofficial sources.
Execution move
Upon execution, each malicious apps request permissions to entry contacts, SMS messages, and information saved on the gadget. If these permissions are granted, ProSpy begins exfiltrating knowledge within the background. The steps we describe subsequent are taken to ensure that the apps to look professional and stop the sufferer from uninstalling them.
ToTok Professional spyware and adware
Within the case of the ToTok Professional distribution vector, as soon as permissions are granted, the app shows a Welcome to ToTok Professional display that carefully mimics the professional ToTok app’s onboarding course of; see Determine 4.
This display shows a CONTINUE button, which, when tapped, opens the official ToTok obtain web page within the browser, suggesting that the person obtain and set up the official ToTok app. This redirection is designed to bolster the phantasm of legitimacy. Any future launches of the malicious ToTok Professional app will as a substitute open the true ToTok app, successfully masking the spyware and adware’s presence. Nevertheless, the person will nonetheless see two apps put in on the gadget (ToTok and ToTok Professional, as proven in Determine 5), which might be suspicious.
Sign Encryption Plugin spyware and adware
When the Sign Encryption Plugin app is launched, the app shows an ENABLE button to proceed. Tapping the button launches the professional Sign app. If the app isn’t put in, it sends a request to open a professional sign.org hyperlink within the browser; see Determine 6. From there, customers can obtain and set up the Sign app.
Opposite to ToTok Professional, as soon as Sign Encryption Plugin is executed and all requested permissions are enabled, its app icon and identify on the gadget dwelling display change to Play Providers; see Determine 7. That is achieved by utilizing activity-alias outlined in AndroidManifest.xml that acts in its place entry level for an current exercise. As a substitute of making a brand new exercise, a developer can create an alias with its personal icon and label (the label proven on the house display). The important thing to altering the app’s look is that an app can have a number of aliases outlined in its manifest, however just one might be the energetic launcher at a time. By programmatically enabling a brand new alias and disabling the previous one, the app can change its icon and identify on the house display with out reinstalling or updating.
As soon as the person faucets the Play Providers icon, it opens the App information display of a professional Google Play Providers app; see Determine 8.
Earlier than the person clicks CONTINUE (ToTok Professional) or ENABLE (Sign Encryption Plugin), the malware silently exfiltrates the next knowledge:
- Gadget Info: Extracts {hardware}, OS particulars, and public IP deal with retrieved by way of a request to ip-api.com/json.
- Saved SMS messages: Collects all accessible SMS messages, see Determine 9.
- Contact record: Harvests names, telephone numbers, and different contact metadata.
- File harvesting: Searches for and exfiltrate information and categorizes them based mostly on MIME varieties, together with:
○ Audio: audio/*, utility/ogg.
○ Paperwork: utility/pdf, utility/msword, utility/vnd.ms-excel, utility/vnd.ms-powerpoint, utility/vnd.openxmlformats-officedocument.*, utility/javascript, textual content/*.
○ Archives: utility/zip, utility/x-rar-compressed, utility/x-7z-compressed, utility/java-archive, utility/vnd.android.package-archive, and others.
○ Photographs: picture/*.
○ Others: Any file not matching the classes above.
- Put in apps: Listing of all put in functions.
A number of the collected knowledge is first saved domestically within the app’s inside storage in contacts_list.json, device_info.json, and sms_list.json textual content information, after which exfiltrated to the C&C server, as you possibly can see in Determine 10.
ToSpy marketing campaign
Later in June 2025, our telemetry programs flagged one other beforehand undocumented Android spyware and adware household actively distributed within the wild, originating from a tool positioned within the UAE. We labeled the malware Android/Spy.ToSpy. Our investigation revealed 4 misleading distribution web sites impersonating the ToTok app. Primarily based on ToSpy’s icon, it seems that it might have been introduced to customers as a Professional model of the ToTok app; see Determine 11.
We discovered six samples sharing the identical distinctive malicious codebase, impersonating the ToTok app, and utilizing the identical developer certificates (DE90F6899EEC315F4ED05C2AA052D4FE8B71125A), which implies that they had been developed by one menace actor.
A number of timestamp indicators helped us hint the origins of this marketing campaign:
- The developer certificates was created on Could 24th, 2022.
- One of many earliest distribution and C&C domains was registered on Could 18th, 2022.
- Some samples had been uploaded to VirusTotal as early as June 30th, 2022.
These findings recommend that the ToSpy marketing campaign possible started in mid-2022. On the time of the evaluation, two of the distribution web sites had been operational. A number of C&C servers are nonetheless energetic, indicating that the marketing campaign is ongoing.
We additionally recognized 5 associated samples uploaded to VirusTotal. Whereas these samples don’t affirm an energetic compromise, they do recommend curiosity or testing exercise – doubtlessly coming from customers, safety distributors, or the menace actors.
Desk 1. Samples discovered on VirusTotal
| Uploaded | Filename | Submission |
| June 30th, 2022 | v1_8_6_405_totok.apk | United Arab Emirates |
| August 2nd, 2022 | v1_8_7_408_totok.apk | United Arab Emirates |
| November 28th, 2022 | totok_v1.8.7.408.apk | Netherlands |
| January 30th, 2024 | N/A | N/A |
| March 11th, 2025 | totok_Version_1_9_5_433.apk | United Arab Emirates |
| Could 8th, 2025 | totok_V1.9.8.443.apk | United States |
Given the app’s regional reputation and the impersonation techniques utilized by the menace actors, it’s affordable to take a position that the first targets of this spyware and adware marketing campaign are customers within the UAE or surrounding areas.
Preliminary distribution vector
Because the preliminary distribution vector, the marketing campaign makes use of phishing web sites designed to impersonate professional app distribution platforms. We recognized distribution web sites for 5 out of the six samples, two of which had been nonetheless energetic throughout our investigation. Considered one of these energetic web sites mimicked the Galaxy Retailer (https://retailer.appupdate[.]ai), as proven in Determine 12, presenting the ToTok app as a professional obtain – thus growing the probability of person deception. On the time of publication, there was no accessible data relating to the strategy or channel by way of which this hyperlink was distributed to potential victims.
The second energetic area initialized the obtain of the ToSpy app after the person clicked on OK, as proven in Determine 13.
Execution move
Upon execution, the malicious ToTok app asks for permissions to entry contacts and gadget storage, falsely presenting the permissions as a requirement for the app to operate correctly. These permissions are, nonetheless, crucial for the operation of ToSpy, enabling it to entry delicate knowledge.
As soon as permissions are granted, the malware sends the compromised gadget data to the C&C server and waits for additional directions. When the C&C server sends the command to proceed, ToSpy initiates knowledge exfiltration.
The app additionally checks for the supply of what we suspect is an up to date model of the spyware and adware by sending a request to https://spiralkey[.]co/totok_update/totokversion.php.
If a more moderen model is out there, the app makes an attempt to obtain it from the hardcoded hyperlink https://spiralkey[.]co/totok_update/totok_pro.apk.
The person is then prompted to manually set up the downloaded APK; see Determine 16.
Throughout our evaluation, we had been unable to retrieve the file from this hyperlink, so we couldn’t confirm whether or not it’s merely an up to date model of the spyware and adware or a special malicious payload.
Equally to ProSpy, ToSpy additionally contains steps designed to additional deceive the sufferer into believing that the malware they simply put in is a professional app. After the person launches the malicious ToTok app, there are two attainable eventualities: both the official ToTok app is put in on the gadget or it’s not.
If the official ToTok app isn’t put in on the gadget, ToSpy makes an attempt to redirect the person to the Huawei AppGallery (see Determine 17), both by way of an already put in Huawei app or by way of the default browser, suggesting the person obtain the official ToTok app. Nevertheless, based mostly on the hardcoded Huawei hyperlink, the app now not seems to be accessible within the app retailer, which can lead to a lifeless finish or confusion for the person.
Nevertheless, if the official ToTok app is already put in on the gadget, each time the malicious app is launched, it first shows a Checking for replace display, then seamlessly launches the official ToTok app, making it seem as if the person is solely utilizing the professional app.
Within the background, the spyware and adware can accumulate and exfiltrate the next knowledge:
- person contacts;
- information with particular extensions similar to .pdf, .ttkmbackup, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .opus, .vcf, .csv, .jpg, .jpeg, .png, .wav, and .mp3; and
- fundamental gadget Info.
The .ttkmbackup file extension is especially noteworthy, as it’s used to retailer ToTok knowledge backups, suggesting a focused curiosity within the extraction of chat historical past or app knowledge.
All exfiltrated knowledge is encrypted utilizing AES encryption in CBC (Cipher Block Chaining) mode with a hardcoded key (p2j8w9savbny75xg). The information is then despatched to a C&C server utilizing an HTTPS POST request. Determine 18 exhibits the decompiled code of the malicious technique accountable for sufferer knowledge exfiltration.
The hardcoded key can be used to decrypt hardcoded strings throughout the app, such because the record of file extensions and C&C server addresses. The identical secret’s used for encryption and decryption for all six samples.
Persistence
As soon as put in, the spyware and adware in each campaigns maintains persistence and ensures steady operation on compromised units by way of:
- Foreground Service: The spyware and adware runs a foreground service that shows persistent notification and is handled by Android as a precedence course of.
- Alarm Supervisor for Service Restart: It makes use of Android’s AlarmManager to repeatedly restart the foreground service, guaranteeing that even when the service is killed, it shortly resumes operation (which permits it to carry out duties similar to checking for updates, sustaining communication with the C&C servers, and exfiltrating knowledge).
- Boot Persistence with BroadcastReceiver for BOOT_COMPLETED: The element tracks system boot occasions. Upon the gadget reboot, the spyware and adware mechanically relaunches its background companies, guaranteeing it stays energetic with out person interplay.
These methods aren’t extremely subtle however are efficient relating to conserving the spyware and adware working repeatedly, maximizing knowledge exfiltration alternatives, and minimizing person consciousness.
Conclusion
We recognized two distinct Android spyware and adware campaigns – Android/Spy.ProSpy and Android/Spy.ToSpy – concentrating on customers within the UAE and sharing widespread traits similar to impersonation of professional apps, use of social engineering, guide set up, persistent background companies, and broad knowledge exfiltration capabilities. Regardless of these similarities, we monitor them individually because of variations in supply strategies and infrastructure.
ProSpy is distributed by way of faux add-ons and plugins for Sign and ToTok, whereas ToSpy mimics solely the ToTok messaging app. ToSpy marketing campaign are ongoing, with energetic distribution domains and C&C servers. Nevertheless, attribution stays inconclusive.
Customers ought to stay vigilant when downloading apps from unofficial sources and keep away from enabling set up from unknown origins, in addition to when putting in apps or add-ons outdoors of official app shops, particularly these claiming to reinforce trusted companies.
For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis affords personal APT intelligence stories and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.
IoCs
A complete record of indicators of compromise (IoCs) and samples might be present in our GitHub repository.
Information
| SHA-1 | Filename | Detection | Description |
| 03FE2FCF66F86A75242F |
e18683bc061e888f15 |
Android/Spy.ToSpy.A | Android ToSpy spyware and adware impersonating ToTok app. |
| B22D58561BB64748F0D2 |
totok_v1.8.8. |
Android/Spy.ToSpy.A | Android ToSpy spyware and adware impersonating ToTok app. |
| BDC16A05BF6B771E6EDB |
totok_V2.8.3 |
Android/Spy.ToSpy.A | Android ToSpy spyware and adware impersonating ToTok app. |
| DB9FE6CC777C68215BB0 |
totok_Version_1_9_ |
Android/Spy.ToSpy.A | Android ToSpy spyware and adware impersonating ToTok app. |
| DE148DDFBF879AB2C125 |
v1_8_6_405_totok |
Android/Spy.ToSpy.A | Android ToSpy spyware and adware impersonating ToTok app. |
| CE378AE427E4BD70EAAE |
v1_8_7_408_totok |
Android/Spy.ToSpy.A | Android ToSpy spyware and adware impersonating ToTok app. |
| 7EFEFF53AAEBF4B31BFC |
ae.totok.chat |
Android/Spy.ProSpy.A | Android ProSpy spyware and adware impersonating ToTok Professional. |
| 154D67F871FFA19DCE1A |
signal-encrypti |
Android/Spy.ProSpy.A | Android ProSpy spyware and adware impersonating Sign Encryption Plugin. |
| 154D67F871FFA19DCE1A |
signal_encyption_ |
Android/Spy.ProSpy.A | Android ProSpy spyware and adware impersonating Sign Encryption Plugin. |
| 43F4DC193503947CB944 |
toktok.apk | Android/Spy.ProSpy.A | Android ProSpy spyware and adware impersonating ToTok Professional. |
| 579F9E5DB2BEFCCB61C8 |
totok.apk | Android/Spy.ProSpy.A | Android ProSpy spyware and adware impersonating ToTok Professional. |
| 80CA4C48FA831CD52041 |
totok_encrypted |
Android/Spy.ProSpy.A | Android ProSpy spyware and adware impersonating ToTok Professional. |
| FFAAC2FDD9B6F5340D42 |
signal-encrypti |
Android/Spy.ProSpy.A | Android ProSpy spyware and adware impersonating ToTok Professional. |
Community
| IP | Area | Internet hosting supplier | First seen | Particulars |
| 86.105.18[.]13 | noblico[.]internet | WorldStream | 2023‑08‑19 | Android ToSpy C&C server. |
| 185.7.219[.]77 | ai-messenger[.]co | RIPE-NCC-HM-MNT, ORG-NCC1-RIPE | 2023‑01‑18 | Android ToSpy distribution area. |
| 152.89.29[.]73 | spiralkey[.]co | Belcloud LTD | 2022‑11‑28 | Android ToSpy C&C server. |
| 5.42.221[.]106 | retailer.latestver |
BlueVPS OU | 2025‑06‑27 | Android ToSpy distribution area. |
| 152.89.29[.]78 | retailer.appupdate |
Belcloud LTD | 2025‑03‑11 | Android ToSpy distribution area. |
| 185.140.210[.]66 | totokupdate[.]ai | Melbikomas UAB | 2022‑08‑02 | Android ToSpy distribution area and C&C server. |
| 176.123.7[.]83 | app-totok[.]io | ALEXHOST SRL | 2024‑03‑07 | Android ProSpy C&C server. |
| 185.27.134[.]222 | sign.ct[.]ws | RIPE-NCC-HM-MNT, ORG-NCC1-RIPE | 2025‑04‑21 | Android ProSpy distribution area. |
| 185.225.114[.]70 | sgnlapp[.]information | IPFIB-RIPE | 2025‑04‑24 | Android ProSpy C&C server. |
| 94.156.128[.]159 | encryption-plug |
Belcloud Administration | 2025‑05‑06 | Android ProSpy distribution area. |
| 94.156.175[.]105 | totokapp[.]information | Valkyrie Internet hosting LLC | 2024‑10‑22 | Android ProSpy C&C server. |
| 103.214.4[.]135 | totok-pro[.]io | HostSlim B.V. | 2024‑12‑29 | Android ProSpy distribution web site and C&C server. |
MITRE ATT&CK strategies
These tables had been constructed utilizing model 17 of the MITRE ATT&CK framework.
| Tactic | ID | Title | Description |
| Preliminary Entry | T1660 | Phishing | Android ToSpy and ProSpy have been distributed utilizing devoted web sites impersonating professional companies. |
| Execution | T1603 | Scheduled Process/Job | Android ToSpy and ProSpy use AlarmManager to restart the foreground service. |
| Persistence | T1398 | Boot or Logon Initialization Scripts | Android ToSpy and ProSpy obtain the BOOT_COMPLETED broadcast intent to activate at gadget startup. |
| T1541 | Foreground Persistence | Android ToSpy and ProSpy use foreground persistence to maintain a service working. | |
| Discovery | T1420 | File and Listing Discovery | Android ToSpy and ProSpy can record information and directories on exterior storage. |
| T1418 | Software program Discovery | Android ProSpy obtains a listing of put in apps. | |
| T1426 | System Info Discovery | Android ProSpy can extract details about the gadget, together with gadget mannequin, gadget ID, and customary system data. | |
| Assortment | T1533 | Information from Native System | Android ToSpy and ProSpy can exfiltrate information from a tool. |
| T1636.003 | Protected Consumer Information: Contact Listing | Android ToSpy and ProSpy can extract the gadget’s contact record. | |
| T1636.004 | Protected Consumer Information: SMS Messages | Android ProSpy can extract SMS messages. | |
| Command and Management | T1521.001 | Normal Cryptographic Protocol: Symmetric Cryptography | Android ToSpy encrypts exfiltrated knowledge utilizing AES encryption. |
| Exfiltration | T1646 | Exfiltration Over C2 Channel | Android ToSpy and ProSpy exfiltrate knowledge utilizing HTTPS. |
