Overview

• Two previously undocumented spyware families were distributed via deceptive websites and sideloaded APKs, including pages spoofing Signal and the Samsung Galaxy Store.
• ProSpy, first detected in June 2025 with signs of activity since 2024, poses as a fake Signal Encryption Plugin and a bogus ToTok Pro to lure victims.
• ToSpy exclusively impersonates ToTok, with indicators pointing to operations beginning in mid-2022 and command-and-control infrastructure still online.
• ESET reported confirmed detections in the UAE, where the ToTok lure remains effective after the app’s removal from major app stores in 2019.
• Once installed, the malware exfiltrates contacts, SMS, device data, media, documents, chat backups and app lists, persisting via AlarmManager, a foreground service and BOOT_COMPLETED; attribution is unknown, and ESET published IoCs and urges use of official app sources and Play Protect.