Android spyware disguised as legitimate messaging apps targets UAE victims, researchers reveal | CyberScoop<\/title> <meta name=\"description\" content=\"Researchers have found two Android spyware families masquerading as messaging apps Signal and ToTok, apparently targeting residents of the United Arab Emirates.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Android spyware disguised as legitimate messaging apps targets UAE victims, researchers reveal\"> <meta property=\"og:description\" content=\"Researchers have found two Android spyware families masquerading as messaging apps Signal and ToTok, apparently targeting residents of the United Arab Emirates.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-10-02T15:36:25+00:00\"> <meta property=\"article:modified_time\" content=\"2025-10-02T15:36:28+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@timstarks\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1759256725g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1758741382g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86214\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86214\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fandroid-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fandroid-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86214 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.673394495413\">\n<div class=\"single-article__header-content\" readability=\"34.354838709677\">\n<p> The campaign involves apps posing as Signal and the defunct ToTok, according to ESET. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86214\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> The Signal encrypted messaging application is seen on a mobile device in this illustration photo taken in Warsaw, Poland on March 25, 2025. (Photo by Jaap Arriens\/NurPhoto) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"29.73608710681\"><body readability=\"61.353919239905\"><\/p>\n<p>Researchers have found two Android spyware families masquerading as messaging apps Signal and ToTok, apparently targeting residents of the United Arab Emirates.<\/p>\n<p>ESET revealed the spyware campaigns Thursday in <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/new-spyware-campaigns-target-privacy-conscious-android-users-uae\/\">a blog post<\/a>, saying that researchers discovered it in June but believe it dates back to last year. They dubbed the campaigns ProSpy and ToSpy, with the first impersonating both Signal and ToTok, and the second just ToTok.<\/p>\n<p>ToTok has been effectively discontinued since 2020, after The New York Times reported that the app itself was <a href=\"https:\/\/www.nytimes.com\/2019\/12\/22\/us\/politics\/totok-app-uae.html\">a spying tool<\/a> for the government of the UAE. The spyware was posing as an enhanced version of the app, ToTok Pro, ESET said.<\/p>\n<p>Upon download, the spyware requests permission to access contacts, text messages and stored files, and once granted, it can start exfiltrating data, according to the researchers. That includes the data for which it sought permission, but also device information, audio, video, images and chat backups.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cNeither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services,\u201d said ESET researcher Luk\u00e1\u0161 \u0160tefanko, who made the discovery. \u201cNotably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app.<\/p>\n<p>\u201cConfirmed detections in the UAE and the use of phishing and fake app stores suggest regionally focused operations with strategic delivery mechanisms,\u201d he said.<\/p>\n<p>It\u2019s not the first time hackers have disguised malware in phony messaging apps. ESET <a href=\"https:\/\/www.welivesecurity.com\/en\/mobile-security\/attack-copycats-fake-messaging-apps-app-mods\/\">shined a spotlight<\/a> on the phenomenon last year, pointing to fake WhatsApp updates with mysterious intentions, copycat Telegram and WhatsApp websites for stealing cryptocurrency and a Chinese government-linked group seeking to distribute Android <a href=\"https:\/\/cyberscoop.com\/badbazzar-and-moonshine-malware-targets-taiwanese-tibetan-and-uyghur-groups-u-k-warns\/\">BadBazaar espionage code<\/a> through authentic-looking Signal and Telegram apps.<\/p>\n<p>ESET concluded that the latest spyware campaigns are likely targeting privacy-conscious UAE residents partly because the ToTok app was primarily used there and also because of a domain name ending in the substring \u201cae.net,\u201d with \u201cAE\u201d being the two-letter country code for UAE.<\/p>\n<p>\u201cGiven the app\u2019s regional popularity and the impersonation tactics used by the threat actors, it is reasonable to speculate that the primary targets of this spyware campaign are users in the UAE or surrounding regions,\u201d ESET wrote in its blog post.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"author-card\" readability=\"7.7216117216117\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal-1.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<div class=\"author-card__details\" readability=\"10.901098901099\">\n<h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. Email Tim here: <a href=\"mailto:tim.starks@cyberscoop.com\">tim.starks@cyberscoop.com<\/a>. <\/div>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Android spyware disguised as legitimate messaging apps targets UAE victims,<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2491,5143,271,1009,268,3365,482,288,2293],"tags":[2493,5144,277,1012,274,3369,484,294,2302],"class_list":["post-8046","post","type-post","status-publish","format-standard","hentry","category-android","category-badbazaar","category-china","category-eset","category-privacy","category-signal","category-spyware","category-threats","category-united-arab-emirates-uae","tag-android","tag-badbazaar","tag-china","tag-eset","tag-privacy","tag-signal","tag-spyware","tag-threats","tag-united-arab-emirates-uae"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/android\/\" rel=\"category tag\">Android<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/badbazaar\/\" rel=\"category tag\">BadBazaar<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/eset\/\" rel=\"category tag\">ESET<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/privacy\/\" rel=\"category tag\">Privacy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/signal\/\" rel=\"category tag\">signal<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/spyware\/\" rel=\"category tag\">spyware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/united-arab-emirates-uae\/\" rel=\"category tag\">United Arab Emirates (UAE)<\/a>","tag_info":"United Arab Emirates (UAE)","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8046"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8046\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8046,"date":"2025-10-02T10:36:25","date_gmt":"2025-10-02T15:36:25","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86214"},"modified":"2025-10-02T10:36:25","modified_gmt":"2025-10-02T15:36:25","slug":"android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/10\/02\/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal\/","title":{"rendered":"Android spyware disguised as legitimate messaging apps targets UAE victims, researchers reveal"},"content":{"rendered":"