New Android Spyware Targeting Users by Imitating Signal and ToTok Apps

ESET researchers have uncovered two sophisticated Android spyware campaigns that target users seeking secure communication platforms by impersonating popular messaging apps Signal and ToTok.

These malicious operations appear to focus primarily on residents of the United Arab Emirates (UAE), utilizing deceptive websites and social engineering tactics to distribute previously undocumented malware families.

The investigation revealed two distinct Android spyware families operating through carefully orchestrated deception campaigns. Android/Spy.ProSpy masquerades as upgrades or plugins for both Signal and ToTok messaging applications, while Android/Spy.ToSpy exclusively targets ToTok users by impersonating the app itself.

Neither malicious application was available through official app stores, requiring victims to manually install the software from third-party websites designed to appear legitimate.

The plugin was distributed via phishing using two dedicated websites (https://signal.ct[.]ws and https://encryption-plug-in-signal.com-ae[.]net/), and it was available only in the form of an Android ...