Newly Discovered Android Spyware Campaigns Impersonate Popular Messaging Apps: Eset
The spyware campaigns spread malware through malicious websites and social engineering.
Cybersecurity company Eset Thursday said that its researchers have discovered two previously undocumented Android spyware campaigns.
The spyware, Android/Spy.ProSpy and Android/Spy.ToSpy, mimics popular messaging apps Signal and ToTok, which is widely used in the United Arab Emirates.
The spyware campaigns spread malware through malicious websites and social engineering, Eset said in a news release.
ProSpy, which has likely been in circulation since 2024, according to Eset, lures victims to malicious websites that impersonate the Signal and ToTok apps. The sites contain infected APKs.
ToSpy targets users in the UAE and can collect and exfiltrate user contacts, device files (including video and images) and more. Eset estimates that ProSpy has been in the wild since 2022.
Eset researchers did find that neither malware-infected Signal or ToTok were available in official app stores. Instead, both apps require “manual installation from third-party websites posing as legitimate services,” said Lukáš Štefanko, senior malware researcher, Eset, in a statement.
“Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app. Once installed, both spyware families maintain persistence and continually exfiltrate sensitive data and files from compromised Android devices. Confirmed detections in the UAE and the use of phishing and fake app stores suggest regionally focused operations with strategic delivery mechanisms,” Štefanko added.
“Users should remain vigilant when downloading apps from unofficial sources and avoid enabling installation from unknown origins, as well as when installing apps or add-ons outside of official app stores, especially those claiming to enhance trusted services,” advised Štefanko.
Eset provides a detailed analysis on the spyware on its blog.