• ESET Research has uncovered two previously undocumented Android spyware families, which ESET has named Android/Spy.ProSpy and Android/Spy.ToSpy.
• ProSpy impersonates both Signal and ToTok, while ToSpy targets ToTok users exclusively.
• Both malware families aim to exfiltrate user data, including documents, media, files, contacts, and chat backups.
• Confirmed detections in the UAE and the use of both phishing and fake app stores suggest regionally focused operations with strategic delivery mechanisms.

MONTREAL, BRATISLAVA — October 2, 2025 — ESET researchers have uncovered two Android spyware campaigns targeting individuals interested in secure communication apps, namely Signal and ToTok. These campaigns distribute malware through deceptive websites and social engineering and appear to target residents of the United Arab Emirates (UAE). ESET’s investigation led to the discovery of two previously undocumented spyware families: Android/Spy.ProSpy impersonates upgrades or plugins for the Signal app and the controversial and discontinued ToTok app, and Android/Spy.ToSpy impersonates the ToTok app. The ToSpy campaigns are ongoing, as suggested by C&C servers that remain active.

“Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services,” explains ESET researcher Lukáš Štefanko, who made the discovery. “Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app. Once installed, both spyware families maintain persistence and continually exfiltrate sensitive data and files from compromised Android devices. Confirmed detections in the UAE and the use of phishing and fake app stores suggest regionally focused operations with strategic delivery mechanisms.”

ESET Research discovered the ProSpy campaign in June 2025, and it has likely been ongoing since 2024. ProSpy is being distributed through three deceptive websites designed to impersonate communication platforms Signal and ToTok. These sites offer malicious APKs posing as improvements, disguised as a Signal Encryption Plugin and ToTok Pro. The use of a domain name ending in the substring ae.net may suggest that the campaign targets individuals residing in the United Arab Emirates, as AE is the two-letter country code for the UAE.

During the investigation, ESET discovered five more malicious APKs using the same spyware codebase, posing as an enhanced version of the ToTok messaging app under the name ToTok Pro. ToTok, a controversial free messaging and calling app developed in the United Arab Emirates, was removed from Google Play and Apple’s App Store in December 2019 due to surveillance concerns. Given that its user base is primarily located in the UAE, it is likely that ToTok Pro may be targeting users in this region, who may be more liable to download the app from unofficial sources in their own region.

Upon execution, both malicious apps request permissions to access contacts, SMS messages, and files stored on the device. If these permissions are granted, ProSpy starts exfiltrating data in the background. The Signal Encryption Plugin extracts device information, stored SMS messages, and the contact list, and it exfiltrates other files – such as chat backups, audio, video, and images.

In June 2025, ESET telemetry systems flagged another previously undocumented Android spyware family actively distributed in the wild, originating from a device located in the UAE. ESET labeled the malware Android/Spy.ToSpy. Later investigation revealed four deceptive distribution websites impersonating the ToTok app. Given the app’s regional popularity and the impersonation tactics used by the threat actors, it is reasonable to speculate that the primary targets of this spyware campaign are users in the UAE or surrounding regions. In the background, the spyware can collect and exfiltrate the following data: user contacts, device information files such as chat backups, images, documents, audio, and video, among others. ESET findings suggest that the ToSpy campaign likely began in mid-2022.

“Users should remain vigilant when downloading apps from unofficial sources and avoid enabling installation from unknown origins, as well as when installing apps or add-ons outside of official app stores, especially those claiming to enhance trusted services,” advises Štefanko.

For a more detailed analysis and technical breakdown of Android/Spy.ProSpy and Android/Spy.ToSpy,
check out the latest ESET Research blog post, “New spyware campaigns target privacy-conscious Android users in the UAE” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

ProSpy execution flow

• ESET Research has discovered new ransomware samples, which it has named HybridPetya, resembling the infamous Petya/NotPetya malware. They were uploaded to VirusTotal in February 2025.
• HybridPetya encrypts the Master File Table, which contains important metadata about all the files on NTFS-formatted partitions.
• Unlike the original Petya/NotPetya, HybridPetya can compromise modern UEFI-based systems by installing a malicious EFI application onto the EFI System Partition.
• One of the analyzed HybridPetya variants exploits CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems, leveraging a specially crafted cloak.dat file.
• ESET telemetry shows no signs of HybridPetya being used in the wild yet.

BRATISLAVA — September 12, 2025 — ESET Research has discovered a HybridPetya bootkit and ransomware uploaded from Poland to the malware-scanning platform VirusTotal. The sample is a copycat of the infamous Petya/NotPetya malware; however, it adds the capability of compromising UEFI-based systems and weaponizing CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems.

“Late in July 2025, we encountered suspicious ransomware samples under various filenames, including notpetyanew.exe and other similar ones, suggesting a connection with the infamously destructive malware that struck Ukraine and many other countries back in 2017. The NotPetya attack is believed to be the most destructive cyberattack in history, with more than $10 billion in total damages. Due to the shared characteristics of the newly discovered samples with both Petya and NotPetya, we named this new malware HybridPetya,” says ESET researcher Martin Smolár, who made the discovery.

The algorithm used to generate the victim’s personal installation key, unlike in the original NotPetya, allows the malware operator to reconstruct the decryption key from the victim’s personal installation keys. Thus, HybridPetya remains viable as regular ransomware – more like Petya. Additionally, HybridPetya is also capable of compromising modern UEFI-based systems by installing a malicious EFI application to the EFI System Partition. The deployed UEFI application is then responsible for encryption of the NTFS-related Master File Table (MFT) file – an important metadata file containing information about all the files on the NTFS-formatted partition.

“After a bit more digging, we discovered something even more interesting on VirusTotal: an archive containing the whole EFI System Partition contents, including a very similar HybridPetya UEFI application, but this time bundled in a specially formatted cloak.dat file, vulnerable to CVE-2024-7344 – the UEFI Secure Boot bypass vulnerability that our team disclosed in early 2025,” adds Smolár. ESET publications from January 2025 purposely refrained from detailing the exploitation; thus, the malware author probably reconstructed the correct cloak.dat file format based on reverse engineering the vulnerable application on their own.

ESET telemetry shows no active use of HybridPetya in the wild yet; thus, HybridPetya may just be a proof of concept developed by a security researcher or an unknown threat actor. Furthermore, this malware does not exhibit the aggressive network propagation seen in the original NotPetya.

For a more detailed analysis and technical breakdown of HybridPetya, check out the latest ESET Research blogpost: “Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass,” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

Overview of HybridPetya’s execution logic

BRATISLAVA — September 4, 2025 — ESET, a global leader in cybersecurity, has been named a Strong Performer in The Forrester Wave™: Managed Detection And Response Services In Europe, Q3 2025. ESET believes this recognition underscores the strength of its ESET PROTECT Platform, which powers its Managed Detection and Response (MDR) services by combining regional threat intelligence with extended detection and response (XDR) capabilities.

According to the report,¹ “ESET leverages its Central and Eastern European presence to source highly localized threat intelligence to deliver MDR services. ESET has maintained trust by focusing on endpoint maturity and regional compliance, including dedicated EU tenancy and sovereign operations. Reference customers highlighted ESET’s transparency and hands-on support, noting local language capabilities and threat advisories as positive traits. Organizations with a significant endpoint landscape looking for strong regional threat intelligence should consider ESET.”

In line with Forrester’s focus on sovereignty, speed, and response maturity, ESET’s strategy highlights its strength in localized threat intelligence and commitment to EU regulatory compliance. Built on a robust foundation in endpoint security, ESET is further distinguished by its transparency, hands-on support, and deep regional presence.

“We are proud to be recognized a Strong Performer in Forrester’s evaluation of MDR services in Europe,” said Michal Jankech, Vice President, Enterprise & SMB/MSP, at ESET. “For us, this acknowledgment reflects our commitment to delivering high-quality, regionally attuned cybersecurity services that meet the evolving needs of European organizations. Our ESET PROTECT Platform continues to evolve, combining deep endpoint expertise with extended detection and response to help customers stay resilient in the face of complex threats. We remain dedicated to continuous innovation and progress, with a clear focus on further enhancing our MDR capabilities to meet future challenges.”

European CISOs increasingly rely on MDR providers not only for faster threat detection but also to maintain operational resilience amid regulatory, economic, and cybersecurity challenges. With mandates such as NIS2 and DORA, and a growing shortage of skilled professionals, MDR services must offer localized support, mature response capabilities, and compliance-driven data sovereignty.

ESET believes this recognition validates its strategic focus on regional threat visibility, trusted support, and compliance-first MDR delivery — all essential for organizations navigating today’s regulatory and threat landscape.

¹The Forrester Wave™: Managed Detection And Response Services In Europe, Q3 2025. Tope Olufon with Jinan Budge, Angela Lozada, Bill Nagel. September 3, 2025

Discover more about ESET MDR services and our XDR-enabling solution.

Find out how ESET helps businesses comply with cyber insurance and regulations.

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here.