Analysis

Cybersecurity firm ESET has uncovered two sophisticated mobile spyware campaigns, ProSpy and ToSpy, actively targeting users in the United Arab Emirates (UAE) by impersonating Signal and ToTok messaging applications. Operational since at least mid-2022 with command-and-control servers detected as recently as 2025, these campaigns exfiltrate sensitive personal data including contacts, messages, and chat backups. The malware leverages social engineering, requiring users to manually install malicious APK files from unofficial sources, mimicking legitimate app interfaces. ProSpy masquerades as a Signal "encryption plugin" or ToTok Pro add-on, while ToSpy directly impersonates ToTok, an app with a controversial history regarding user surveillance. Upon installation, the spyware requests common app permissions to collect device details, SMS, contact lists, and files, specifically targeting ToTok backup files for chat history. The fake Signal app even employs evasion tactics by changing its icon and name to "Google Play Services" post-setup, complicating detection. ESET's findings were shared with Google, leading to an update in Google Play Protect that now blocks known variants of these spyware families on Android devices, indicating a proactive industry response. While Google's action is a positive step (GOOGL/GOOG sentiment +0.2), the overall situation carries a strongly negative sentiment (-0.7) due to the persistent and evolving nature of mobile cyber threats. This incident underscores the critical need for robust digital security measures, particularly for companies handling sensitive user data.