Skip to content

ESET Research discovers new spyware posing as messaging apps targeting users in the UAE

  • ESET Research has uncovered two previously undocumented Android spyware families, which ESET has named Android/Spy.ProSpy and Android/Spy.ToSpy.
  • ProSpy impersonates both Signal and ToTok, while ToSpy targets ToTok users exclusively.
  • Both malware families aim to exfiltrate user data, including documents, media, files, contacts, and chat backups.
  • Confirmed detections in the UAE and the use of both phishing and fake app stores suggest regionally focused operations with strategic delivery mechanisms.

MONTREAL, BRATISLAVAOctober 2, 2025 — ESET researchers have uncovered two Android spyware campaigns targeting individuals interested in secure communication apps, namely Signal and ToTok. These campaigns distribute malware through deceptive websites and social engineering and appear to target residents of the United Arab Emirates (UAE). ESET’s investigation led to the discovery of two previously undocumented spyware families: Android/Spy.ProSpy impersonates upgrades or plugins for the Signal app and the controversial and discontinued ToTok app, and Android/Spy.ToSpy impersonates the ToTok app. The ToSpy campaigns are ongoing, as suggested by C&C servers that remain active.

“Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services,” explains ESET researcher Lukáš Štefanko, who made the discovery. “Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app. Once installed, both spyware families maintain persistence and continually exfiltrate sensitive data and files from compromised Android devices. Confirmed detections in the UAE and the use of phishing and fake app stores suggest regionally focused operations with strategic delivery mechanisms.”

ESET Research discovered the ProSpy campaign in June 2025, and it has likely been ongoing since 2024. ProSpy is being distributed through three deceptive websites designed to impersonate communication platforms Signal and ToTok. These sites offer malicious APKs posing as improvements, disguised as a Signal Encryption Plugin and ToTok Pro. The use of a domain name ending in the substring ae.net may suggest that the campaign targets individuals residing in the United Arab Emirates, as AE is the two-letter country code for the UAE.

During the investigation, ESET discovered five more malicious APKs using the same spyware codebase, posing as an enhanced version of the ToTok messaging app under the name ToTok Pro. ToTok, a controversial free messaging and calling app developed in the United Arab Emirates, was removed from Google Play and Apple’s App Store in December 2019 due to surveillance concerns. Given that its user base is primarily located in the UAE, it is likely that ToTok Pro may be targeting users in this region, who may be more liable to download the app from unofficial sources in their own region.

Upon execution, both malicious apps request permissions to access contacts, SMS messages, and files stored on the device. If these permissions are granted, ProSpy starts exfiltrating data in the background. The Signal Encryption Plugin extracts device information, stored SMS messages, and the contact list, and it exfiltrates other files – such as chat backups, audio, video, and images.

In June 2025, ESET telemetry systems flagged another previously undocumented Android spyware family actively distributed in the wild, originating from a device located in the UAE. ESET labeled the malware Android/Spy.ToSpy. Later investigation revealed four deceptive distribution websites impersonating the ToTok app. Given the app’s regional popularity and the impersonation tactics used by the threat actors, it is reasonable to speculate that the primary targets of this spyware campaign are users in the UAE or surrounding regions. In the background, the spyware can collect and exfiltrate the following data: user contacts, device information files such as chat backups, images, documents, audio, and video, among others. ESET findings suggest that the ToSpy campaign likely began in mid-2022.

“Users should remain vigilant when downloading apps from unofficial sources and avoid enabling installation from unknown origins, as well as when installing apps or add-ons outside of official app stores, especially those claiming to enhance trusted services,” advises Štefanko.

For a more detailed analysis and technical breakdown of Android/Spy.ProSpy and Android/Spy.ToSpy,
check out the latest ESET Research blog post, “New spyware campaigns target privacy-conscious Android users in the UAE” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

ProSpy execution flow

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Offline Mode, policy to block jailbroken and rooted devices, and other improvements: catch up with NordPass in Q3 of 2025

Media and awards

We’re super happy to share three acknowledgments we’ve received this quarter for our work creating advanced yet intuitive password management solutions. 

Listed as #1 by Password Manager

We are honored to be named the Best Password Manager of 2025 by Gunnar Kallstrom, a Cyber Team Lead at a DOD contracting company. Kallstrom highlighted NordPass as a well-balanced solution with strong security and a smooth user experience for both personal and business use. As this is ingrained in our brand’s DNA, it’s great to be recognized for it. 

Geekflare picks us as #2 best enterprise password manager 

Geekflare recognized us for our ability to combine simplicity with robust security, adding to our growing list of accolades. Their team helps businesses find the best software for their needs, so it was a great pleasure to be named by them as the second-best enterprise password manager for 2025. According to Geekflare, NordPass makes a standout choice for those who seek straightforward password management with strong encryption.

PCMag’s pick for the best password manager

We’re thrilled to share that PCMag has honored us with its Editor’s Choice award for the second year in a row, naming NordPass the Best Premium Password Manager for 2025. We’re especially proud of their praise, calling NordPass “just about everything you’d want from a password manager.” Rest assured, we’re committed to keeping it that way!

What’s new with NordPass

We stay true to that promise by improving our password manager every quarter—whether it’s refining existing features or introducing new ones. Let’s take a look at what we’ve been working on over the past few months.

Offline Mode 

First up, we’re excited to introduce Offline Mode for our Business users. It’s a new feature that ensures you can access your vault even without an internet connection. Whether you’re traveling, dealing with an internet outage, or working in a network-restricted area, you’ll still have secure, read-only access to all your credentials when you need them most. This feature is currently available only on mobile devices, but we’re excited to roll it out to the desktop app and browser extensions soon.

This eliminates the need for risky workarounds like exporting your vault to an unsecure file, keeping your sensitive data protected within the encrypted NordPass environment at all times.

1-inner-asset-Offline Mode

Block jailbroken and rooted devices

NordPass now has a new default policy option that blocks access to the NordPass app on rooted Android and jailbroken iOS devices. Such devices pose a higher risk of data leakage, app tampering, and other security breaches. So, with this feature, you’ll enforce security and maintain the integrity of the application. However, if there’s a need, your organization’s Owners and Admins can allow usage on those devices.

2-inner-asset-Block jailbroken

Business Account session management

With the next phase of Business Account session management, we’re giving you even more control over your organization’s security. This feature provides Admins with a complete overview of all active user sessions across the organization, including details about those sessions, like device, platform, IP address, and the last login. This enhanced visibility empowers you to take immediate action—if you spot any suspicious activity, you can instantly revoke members’ sessions, either all at once or in separate sessions, to protect your company’s data.

3-inner-asset-session management

Enhancing the autofill experience for Android users 

We upgraded the URL linking to the items on the Android NordPass app. Now, if the website is not linked to the item on the app, NordPass autofill will suggest that the user add the URL to the NordPass item.

Similarly, you can now use autofill to copy NordPass’ built-in TOTP code to the clipboard once it is generated to streamline the logging process without interruption.

Making the B2B onboarding process more intuitive 

We continuously strive to improve and make our product more intuitive. Onboarding is a crucial part of this equation—if you can’t get through the onboarding without hiccups, will the product actually be intuitive? With that in mind, we revised our B2B onboarding process, tweaking the necessary parts to make the flow as seamless as possible.

Other minor improvements

But that’s not all! We also did some other minor product touch-ups to make your experience better:

  • We’ve rolled out performance improvements to the Sharing Hub, ensuring a faster and more reliable experience.

  • Finding what you need is now easier with our smarter search. It now understands non-exact titles, so you can find an item like “Bayern München” even if you just type “Munchen.”

  • Lastly, we’ve introduced new in-app privacy settings, giving you clear and direct control over your data tracking preferences.

Bottom line

Well, that’s a wrap! This quarter was busy mainly with feature updates and experience enhancements—we hope you have already made the best use of them!

Just before you go, a quick note. Recently, our team has noticed an increased number of scams offering help through fake NordPass phone numbers. We want to remind you that we only provide customer support through chats and emails. That’s all—see you next quarter!

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Detecting Ransomware Across the Entire Attack Lifecycle

The threat of ransomware is constantly evolving, and traditional security tools are struggling to keep up. This is largely because ransomware has become a sophisticated business model, fueled by the availability of “Ransomware-as-a-Service.” This model allows individuals with very little technical skill to launch professional-grade attacks. Traditional defenses like firewalls and endpoint protection platforms (EPPs) are no longer sufficient because they leave significant blind spots, especially with unmanaged devices such as printers, scanners, and IoT devices that cannot run an endpoint agent.

The Importance of Network Visibility

The core principle for effective ransomware detection is comprehensive network visibility. Every stage of a ransomware attack, from the initial compromise to data exfiltration, leaves a detectable trace in network traffic. By mapping the stages of an attack to the MITRE ATT&CK framework, we can see how network monitoring can reveal malicious activity:

  • Initial Access: Unauthorized user logins or connections to external systems.
  • Execution: The start of a new process or suspicious PowerShell command.
  • Persistence: The creation of new user accounts or scheduled tasks.
  • Privilege Escalation: Network access to administrator accounts or servers.
  • Lateral Movement: Communication between endpoints that normally don’t interact.
  • Command and Control: Connections to suspicious IP addresses or domains.
  • Exfiltration: Large data transfers to external, unknown servers.

How Network-Based Detection Works

A solution like GREYCORTEX Mendel is designed to provide this essential network visibility. Mendel monitors the behavior of the entire network infrastructure, using machine learning and behavioral analysis to detect malicious activity. This is effective even on devices where endpoint protection cannot be deployed.

Beyond active detection, a network-based approach also aids in post-attack compromise assessment. By continuously monitoring for hidden backdoors and “keep alive” connections, it helps ensure the network is truly clean after remediation, preventing attackers from returning later.

Strengthening Your Cybersecurity Ecosystem

A solution like Mendel is a crucial component of a modern cybersecurity ecosystem. By providing deep network visibility, it not only helps stop active attacks but also strengthens long-term network resilience. This holistic approach ensures that your defenses are prepared for a ransomware attack at every stage of its lifecycle.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×