Image by Adem AY, from Unsplash
Fake Signal and ToTok Apps Used to Spy on Android Users In UAE
Reading time: 2 min
Last Updated: Oct 3, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
ESET researchers have uncovered two spyware campaigns that disguise themselves as secure messaging apps to target Android users in the United Arab Emirates (UAE).
In a rush? Here are the quick facts:
- Fake Signal and ToTok apps spread spyware on Android devices in the UAE.
- Malware distributed through phishing sites, not Google Play Store.
- Stolen data includes SMS, contacts, photos, videos, and app backups.
ESET reports that the malicious apps impersonate Signal and ToTok, two platforms often chosen by people seeking private communications.
The investigation identified two previously unknown spyware families: Android/Spy.ProSpy, which pretends to be upgrades or plugins for Signal and ToTok, and Android/Spy.ToSpy, which exclusively impersonates ToTok.
Neither was available in official app stores. Instead, victims were tricked into downloading them from third-party websites posing as legitimate services.
One of the fake sites even mimicked the Samsung Galaxy Store to spread the ToSpy malware. Once installed, both spyware strains maintain persistence on the device and begin stealing sensitive data in the background. This includes contacts, SMS messages, documents, photos, videos, and even app backups.
ESET noted that ToSpy specifically looks for .ttkmbackup files, which are used to store ToTok chat histories and app data, suggesting a targeted effort to extract conversations. “Our investigation led to the discovery of two previously undocumented spyware families – Android/Spy.ProSpy, impersonating upgrades or plugins for the Signal and ToTok messaging apps; and Android/Spy.ToSpy, impersonating the ToTok app,” the researchers explained.
ProSpy has been active since at least 2024, spread through phishing websites offering fake apps like “Signal Encryption Plugin” and “ToTok Pro.” When launched, these apps often redirect users to the real Signal or ToTok platforms to appear legitimate, while continuing to steal information in the background.
According to ESET, the ToSpy campaign is still ongoing, with active servers receiving stolen data. As an App Defense Alliance partner, ESET shared its findings with Google. Users are protected against known variants by Google Play Protect, which is enabled by default on Android devices.
Previous Story
Latest articles 
