Analysis

ESET researchers have identified two distinct Android spyware campaigns, ProSpy and ToSpy, primarily targeting individuals in the United Arab Emirates by impersonating secure communication applications like Signal and ToTok. These campaigns leverage deceptive websites and social engineering to trick users into manually installing malware, bypassing official app store protections. The spyware families are designed for extensive data exfiltration, collecting sensitive information including contacts, SMS messages, device details, and specifically targeting .ttkmbackup files for ToTok chat history. Both ProSpy and ToSpy employ robust persistence mechanisms, such as foreground services and boot persistence, to ensure continuous operation and data collection on compromised devices. The ongoing nature of the ToSpy campaign, evidenced by active C&C servers, underscores persistent cybersecurity risks, particularly for users within specific geopolitical regions. While Google (GOOGL/GOOG) provides automatic protection against *known* versions via Google Play Protect, the campaigns' reliance on manual installation highlights vulnerabilities outside standard distribution channels. This incident emphasizes the broader challenge of securing mobile ecosystems against sophisticated phishing and social engineering tactics, especially given ToTok's prior removal from app stores due to surveillance concerns. It necessitates heightened vigilance regarding unofficial software sources and robust user education on mobile security best practices.