The cybersecurity company ESET recently discovered two new spyware families, dubbed ProSpy and ToSpy, that target Android users. The attackers disguised these malicious programs as fake updates or plugins for the popular messaging apps Signal and ToTok. To make the spyware seem legitimate, the cybercriminals created fraudulent websites that looked like the official pages for both platforms. The malicious files were distributed on these sites, tricking users into downloading what they believed were legitimate apps. Researchers believe these campaigns have been active since at least 2024 and are specifically targeting users in the United Arab Emirates.
The ProSpy and ToSpy campaigns distributed malicious APK files through various fraudulent websites. Some of these sites impersonated the official Signal website and the Samsung Galaxy Store, using deceptive URLs like signal.ct[.]ws and store.latestversion[.]ai. The operators of the spyware created these fake sites to distribute a fake Signal Encryption Plugin and a “Pro” version of the ToTok app. Once downloaded and executed, the ProSpy malware would request access to a user’s contact list, SMS, and files. These requests are typical for messaging apps, which helps the malware avoid raising suspicion.
After gaining access, the ProSpy malware exfiltrates a wide range of sensitive data from the infected device. This includes device information like hardware, operating system, and IP address, as well as all stored SMS texts and the contact list. The spyware also steals files such as audio, documents, images, and videos. To make matters worse, it can even access and steal ToTok backup files and a list of all installed applications. This comprehensive data theft allows the attackers to gain extensive access to a user’s personal information.
The attackers designed the ProSpy malware to be particularly stealthy and persistent. The fake Signal Encryption Plugin, for example, uses the “Play Services” icon and label on the user’s home screen to blend in with legitimate apps. When a user taps this icon, it cleverly opens the information screen of the real Google Play Services app, making it even harder to detect. The malware also avoids suspicion by redirecting users to the legitimate download page for an app if it’s not already on their device. This tactic helps the spyware avoid alerting the user that something is wrong.
Although the ToTok app was previously removed from app stores due to privacy concerns, it is still available for download from its official website and third-party app stores. Signal, on the other hand, is a popular end-to-end encrypted messenger with over 100 million downloads. The malicious campaigns that impersonate these two apps highlight a significant threat to mobile device security, showing how easily cybercriminals can exploit a user’s trust to steal valuable and personal information.
Reference: