Hidden Eyes in Your Pocket: ESET Exposes ProSpy and ToSpy Android Spyware Targeting UAE Users

Silent Intrusion Behind Familiar Apps

ESET cybersecurity researchers have uncovered two highly sophisticated Android spyware campaigns named ProSpy and ToSpy, designed to infiltrate smartphones by disguising themselves as trusted communication apps like Signal and ToTok. These campaigns, operating mainly in the United Arab Emirates (UAE), are built around social engineering deception, tricking users into manually installing malware through fake websites.

Both spyware strains are previously undocumented, which makes their discovery a significant find in modern cyber espionage. While ProSpy masquerades as both Signal and ToTok, ToSpy solely imitates ToTok. Neither malicious app appears in official stores such as Google Play or Apple’s App Store; instead, they circulate through phony websites that mimic legitimate services, including a counterfeit Samsung Galaxy Store. Once installed, these fake apps persistently harvest sensitive data such as messages, contacts, device info, and stored files—all without the victim’s knowledge.

ESET reports that ProSpy, active since 2024, primarily spreads via fake websites posing as “Signal Encryption Plugin” or “ToTok Pro.” Discovered in June 2025, this spyware requests extensive permissions—contacts, SMS, storage access—then silently uploads exfiltrated data to its command-and-control servers. The campaign’s infrastructure, using “.ae.net” domains, further ties it to UAE-based targets.

ToSpy, on the other hand, dates back to mid-2022 but was only detected this year. It features identical code and developer certificates across multiple samples, pointing to a long-term espionage operation. Distribution mainly occurs via phishing domains imitating app stores, some of which remain active even after ESET’s findings were published—indicating the operation continues.

Once deployed, the spyware achieves persistence by launching a foreground service that cannot be easily closed, using Android’s AlarmManager to restart itself and BOOT_COMPLETED receivers to relaunch after reboot. This ensures the spyware constantly runs, quietly siphoning data in real time.

Both campaigns are particularly dangerous because they blend social manipulation with technical persistence. By mimicking security tools like Signal and popular chat platforms like ToTok—already controversial for alleged surveillance links—attackers exploit trust and curiosity. ESET concludes that users must remain cautious, avoid enabling installations from unknown sources, and be wary of any “plugin” or “enhanced” versions of known apps.

What Undercode Say:

The ProSpy and ToSpy revelations paint a stark picture of how cyber operations are evolving in both complexity and subtlety. This isn’t simply another case of random malware circulating online—it’s a calculated surveillance effort, laser-focused on a regional demographic with ties to geopolitical tension.

In cybersecurity, trust is the first vector of attack. These spyware campaigns show how attackers now weaponize legitimacy. The use of Signal, a globally recognized privacy-first messaging app, as camouflage for spyware isn’t random—it’s a psychological strike. Users who choose Signal do so for privacy. When that privacy becomes the very bait for intrusion, the irony is chilling.

The manual installation requirement—once considered a protective barrier—is being systematically undermined. Users are being guided step by step through convincing imitation websites, complete with “ENABLE” buttons and official-looking design elements. This form of socially engineered compliance is more effective than traditional malware downloads because the victim willingly participates in their own compromise.

ProSpy’s impersonation of a “Signal Encryption Plugin” is a particularly clever twist. No such plugin exists, but its name exploits the technical curiosity of advanced users who think they’re enhancing their privacy features. It’s a targeted strike on awareness itself, camouflaging exploitation under the promise of extra security.

Then there’s ToSpy, the evolution of a surveillance theme long associated with ToTok. Since ToTok’s 2019 ban from major app stores over alleged state surveillance, its reputation remains tainted. ToSpy exploits that controversy, resurrecting a familiar brand that some users still trust unofficially. The attackers have capitalized on nostalgia and misplaced confidence—a reminder that digital memory never fades, but user vigilance does.

The infrastructure choices, like using .ae domains, hint at regional targeting rather than global scale attacks. This suggests either state-level interest or a contracted intelligence operation, with data harvesting being a long-term goal, not a short-term profit scheme.

From a technical standpoint, the persistence mechanisms—foreground services, alarm triggers, and boot receivers—are textbook techniques in advanced Android malware. Yet their combination here shows an intention to avoid detection without needing root access, keeping operations stable and subtle. This method avoids triggering alarms in mobile antivirus tools while ensuring continuous control.

There’s also the psychological manipulation layer: redirecting users to legitimate stores after infection. This tactic helps the spyware maintain credibility, since users may believe they downloaded an official app. It’s an ingenious move, reinforcing the illusion of safety.

Forensics will likely reveal that both ProSpy and ToSpy share common codebases, but the split branding and delivery methods indicate diversified infrastructure—a strategy to mitigate risk and detection. Even if one campaign is discovered, the other continues functioning independently.

In broader context, this case exposes how digital borders are dissolving. UAE-based spyware doesn’t just threaten citizens—it demonstrates the blueprint for nation-state surveillance disguised as user error. Similar campaigns can easily replicate across any region where trust in official communication apps is high.

For individuals, the takeaway is clear: never install “enhanced” or “plugin” versions of mainstream apps unless verified directly through official developers. For cybersecurity researchers, ProSpy and ToSpy reaffirm that malware evolution now mirrors legitimate app development, complete with branding, UX design, and version control.

The implications go beyond privacy; this is about control of communication flow in authoritarian environments. If citizens fear their encrypted chats are compromised, they self-censor. That’s the hidden power of such spyware—not just stealing data, but manipulating behavior through fear of exposure.

In essence, ProSpy and ToSpy reveal that the battle for privacy isn’t just technical—it’s psychological. And right now, it’s the attackers who are mastering the art of digital disguise.

Fact Checker Results

✅ Confirmed: ESET officially identified ProSpy and ToSpy as active Android spyware families.
⚠️ Ongoing Threat: Multiple fake app domains remain online, suggesting campaigns are still active.
❌ Not Found in App Stores: Neither spyware variant ever appeared on Google Play or Apple App Store.

Prediction

Given current activity patterns, ProSpy and ToSpy will likely evolve into stealthier, modular frameworks, expanding beyond UAE to other Middle Eastern regions. Attackers may shift focus toward Telegram or WhatsApp clones next, using the same trust-exploitation techniques. As awareness grows, future variants could integrate AI-driven evasion tactics, making detection nearly impossible for casual users. The war for privacy on Android devices is only beginning—and the next wave will blur the line between legitimate updates and hidden surveillance even further.