Particle.news

Download on the App Store

ESET Uncovers ProSpy and ToSpy Android Spyware Masquerading as Signal and ToTok

Researchers say active ToSpy servers signal an ongoing campaign focused on UAE users.

Overview

  • Two previously undocumented spyware families were distributed via deceptive websites and sideloaded APKs, including pages spoofing Signal and the Samsung Galaxy Store.
  • ProSpy, first detected in June 2025 with signs of activity since 2024, poses as a fake Signal Encryption Plugin and a bogus ToTok Pro to lure victims.
  • ToSpy exclusively impersonates ToTok, with indicators pointing to operations beginning in mid-2022 and command-and-control infrastructure still online.
  • ESET reported confirmed detections in the UAE, where the ToTok lure remains effective after the app’s removal from major app stores in 2019.
  • Once installed, the malware exfiltrates contacts, SMS, device data, media, documents, chat backups and app lists, persisting via AlarmManager, a foreground service and BOOT_COMPLETED; attribution is unknown, and ESET published IoCs and urges use of official app sources and Play Protect.