Researchers have discovered two active Android spyware campaigns, ProSpy and ToSpy, that pose as encrypted messaging apps like Signal and ToTok in order to target users in the United Arab Emirates. These programs, which are distributed through fraudulent websites that imitate legitimate app stores, need to be manually installed and rely on social engineering to win users over. After installation, they use covert methods to be persistent and evade detection while covertly stealing private information, including as contacts, messages, media, and app backups. These commercials draw attention to the growing danger of locally targeted malware that compromises user privacy by using well-known app brands.
The APK-based spyware families ProSpy (Android/Spy.ProSpy) and ToSpy (Android/Spy.ToSpy) are spread through phishing websites and fraudulent app-store pages that deceive users into sideloading malicious APKs (without the Play Store being present). They ask for broad runtime permissions (contacts, SMS, storage), and then harvest a variety of files (most notably.ttkmbackup chat backups) and device metadata. They store the harvested JSON blobs locally before exfiltrating them to active C2 servers via HTTPS. Both implants employ persistence strategies to keep running, including a BOOT_COMPLETED BroadcastReceiver, AlarmManager to restart services, and a foreground service with persistent notification. ProSpy also misuses activity-alias to alter its launcher icon or label (for example, to “Play Services”) to conceal itself on the home screen, while ToSpy looks for and tries staged updates from hardcoded URLs. The collected data is sent to the attacker C2 after being encrypted client-side using AES-CBC with a hardcoded key, samples have a shared codebase, a single developer certificate (for ToSpy), and timeline indicators that show activity dating back to 2022, suggesting a long-running, regionally focused campaign. The details and technicalities of the attack campaign are discussed further,
Delivery and Infection Chain:
Malicious APKs distributed through certain phishing websites and fraudulent app-store pages that pose as the Samsung Galaxy Store, Signal, ToTok, or provide “pro” or “plugin” upgrades. The distribution needs to be sideloaded (installed manually from unidentified sources); the following URLs were found: store.appupdate[.]ai (Galaxy Store mimic), encryption-plug-in-signal.com-ae[.]net, totok-pro[.]io, and signal.ct[.]ws. Fake onboarding and redirecting users to authentic app pages are examples of social engineering techniques used to conceal the implant and foster confidence. The Infection chain was identified as follows,
Technical Capabilities:
Full-featured Android espionage implants ProSpy and ToSpy are made for robust persistence and extensive data collection. They ask for permissions to collect data during runtime for contacts, SMS, and storage, list installed apps, and harvest files with a variety of MIME types and extensions (such as images, audio, video, office documents, archives, and most notably,.ttkmbackup ToTok backups). Before being exfiltrated to attacker C2 servers via HTTPS POST, collected artifacts are first staged locally in internal files (such as contacts_list.json, sms_list.json, and device_info.json) and then encrypted client-side using AES-CBC with a hardcoded key (p2j8w9savbny75xg). The virus uses AlarmManager to restart services if they are killed, runs a foreground service with a persistent notice, and registers a BOOT_COMPLETED BroadcastReceiver to relaunch after reboots in order to be persistent and survivable.
ProSpy’s misuse involving Android activity-alias to change the launcher icon or label (for example, to “Play Services”) and both families’ practice of launching genuine programs or rerouting victims to official pages in order to conceal their existence are examples of evasion and deception tactics. In order to facilitate payload upgrades or modular capability additions, ToSpy also incorporates an update-check/staged-update mechanism (requests to hardcoded spiralkey[.]co endpoints) that can download additional APKs and initiate manual installation. Additionally, multiple samples share identical code and hardcoded configuration artifacts, indicating reuse and ease of replication.
Attribution and Evolution:
Although shared codebases, infrastructure, and repeated developer certificates point to a single or closely coordinated perpetrator, attribution is still up for debate. ProSpy first appeared in 2024, whilst ToSpy samples were first available in mid-2022. The efforts gradually progressed from simple software impersonation to more dishonest strategies like launcher obfuscation, store mimics, and redirect flows. Both demonstrate ongoing intent and operational maturity by keeping their infrastructure working and improving their delivery methods.
Active Campaign and Geographic Spread:
With live C2 and distribution domains still operational, these campaigns are currently in progress. Using domains with UAE-related identifiers (e.g., ae.net) and widely used apps like ToTok, the primary targeting is concentrated on the United Arab Emirates. Additionally, malware samples from the U.S. and the Netherlands were sent, indicating either testing, unintentional installs, or more extensive probing activities. The ads seem to be strategically regional, using trusted app impersonation and tailored deception to target UAE users.
Conclusion:
These campaigns are examples of tailored, regionally focused Android espionage operations that deceive privacy-conscious users into sideloading fully functional spyware by taking advantage of their confidence in secure messaging companies. The malware creates a high privacy impact threat that is difficult to detect without specialized detection controls by combining simple but effective persistence and deception techniques (alias/icon swapping, launch-redirection), encrypted exfiltration to active C2 infrastructure, and extensive data collection (including chat backups).
The spyware compromises communications, messaging backups, and personal information, posing a serious privacy risk. Because of the malware’s endurance and covert characteristics, victims—who can include activists, officials, or journalists—face ongoing surveillance. Infected BYOD devices have the potential to expose confidential contacts or documents to businesses. Complete device audits and cleanup are necessary for recovery, and there is a chance that data will be exposed irreparably. The campaigns are especially risky in both personal and professional settings because of their low detection profile and trust-based social engineering.
