Android Spyware targets UAE messaging users

Two Android Spyware campaigns using previously undocumented spyware masquerade as upgrades or plugins for the signal of secure messaging apps and Totok, warn researchers. The two campaigns seem to target residents of the United Arab Emirates.

See also: When the protection of identity fails: rethink resilience for a modern threat landscape

ESET researchers identified The two spy software families, which they nicknamed “prosperous” and “Tospy”. Once installed, they continually exfiltrate sensitive data. Eset said that he had discovered the Prospy campaign in June, but the data showed that it has been underway since 2024.

The two campaigns encourage users to load malware by seeming to be a Totok signal or upgrade or by usurging the Totok application. One way they maintain legitimacy is to download or interact users with legitimate secure messaging applications. The false Totok application orders users to install the real application and persists as an application on user phones called “Totok Pro”. False signal upgrade orders users to “activate it”, by launching real application in the process.

Once a user has the authorizations of malicious applications, the two spy software strains require access to contacts, SMS messages and files stored on the device. Tospy specifically searches .ttkmbackup Files, the extension used to store Totok backups, suggesting a targeted interest in extracting cat stories.

Lukáš Štefanko, principal researcher in malicious software in ESET, who analyzed the campaigns, said that there was no evidence that one or the other campaign was linked to the previously reported surveillance activity. “We have not found any link with previously known water surveillance or another activity supported by statistics,” he told Information Security Media Group.

Spy software is often used against political or journalistic communities, Štefanko said that telemetry does not suggest targeted exploitation in this case. “We have not seen any specific targeting signs,” he said.

The actual scale of infections remains clear. The pirates’ decision to identify the signal alongside Totok can reflect the strategic targeting of different audiences. Štefanko said the two campaigns have the same objectives, but probably various planned victims.

Tospy has not undergone major technical updates despite the operation for several years. Spyware campaigns seem to serve surveillance objectives rather than financial reasons. “This is a threat more linked to surveillance – we cannot say if its interest in the state – then cybercrime focused on profit,” he said.

Distribution methods include phishing areas designed to imitate legitimate application markets, including a false Samsung Galaxy store. Victims are invited to download and manually install APK files, often bypassing Google Play Safeguards. After installation, Prospy and Tospy use Android persistence mechanisms, such as Alarmmager and Boot Receien, to ensure continuous operation even after the device restarts.

The research team has informed Google of the results, but the withdrawals of domains or servers have not yet been initiated. For the moment, Prospy and Tospy continue to operate, posing a persistent monitoring risk for users concerned about privacy that count on the signal and the Totok to the water and potentially beyond.