- ESET Research has discovered two previously undocumented Android Spyware families, which ESET Android/Spy. Prospy and Android/Spy.try has mentioned.
- Prospy imitates both signal and totok, while Tospy only focuses on Totok users.
- Both malware families want to exhailer data, including documents, media, files, contacts and chatbackups.
- Confirmed detections in the VAE and the use of both phishing and fake app shins suggest regionally targeted operations with strategic delivery mechanisms.
Montreal and Bratislava, Slovakia, October 2, 2025 (Globe Newswire) -ESET researchers have discovered two Android -Spyware campaigns that are aimed at people interested in safe communication apps, namely signal and totok. These campaigns spread malware through misleading websites and social engineering and seem to focus on residents of the United Arab Emirates (VAE). ESET’s research led to the discovery of two previously non -documented Spyware families: Android/Spy. -Orspy -Mitation that upgrades or plug -in for the Signal -app and the controversial and stopped totok -app -app, and Android/Spy.try does the Totok -app. The Tospy campaigns are underway, as suggested by C&C servers that remain active.
“Neither of the two apps with the spyware was available in official app stores; both required manual installation of third-party websites that occur as legitimate services,” explains ESET researcher Lukáš Štefanko, who made the discovery. “In particular, one of the websites that the Tospy Malware family distributed has simulated the Samsung Galaxy Store, where users can manually download and install a malicious version of the TOK app. Once installed, both spyware families retain persistence and continuously established operations for strategic episode.”
ESET Research discovered the Prospy campaign in June 2025, and it has probably been going on since 2024. Prospy is distributed through three misleading websites that are designed to adopt the communication platforms and totok. These sites offer malignant MOTs that occur as improvements, disguised as a signal coding plug -in and totok pro. The use of a domain name that ends in the AE.NET Substring can suggest that the campaign focuses on persons who live in the United Arab Emirates, because AE is the country code with two letters for the VAE.
During the research, ESET discovered five malignant MOTs with the same Spyware Codebase, which occurred as an improved version of the Totok Messaging app under the name Totok Pro. Totok, a controversial free messages and call – app developed in the United Arab Emirates, was deleted from Google Play and Apple’s App Store in December 2019 Due to supervisory problems. Since the user base is mainly in the VAE, it is likely that TOTOK Pro may target users in this region, which may be more liable to download the app from unofficial sources in their own region.
After execution, both malignant apps ask for permissions to access contacts, SMS messages and files stored on the device. If these permissions are granted, prospy data starts to exfiltrate in the background. The Signal Encryption -plug -in extrahesian information, stored SMS messages and the contact list and this exfiltrates other files -such as chatback –ups, audio, video and images.
In June 2025, ESET -TeleMetries systems marked another earlier without paper Android Spyware family that was actively distributed in the wild, originating from a device in the VAE. ESET label the malware Android/spy.tospy. Later research revealed four misleading distribution websites that occur as the Totok app. Given the regional popularity of the app and the imitation tactics used by the threat actors, it is reasonable to speculate that the primary goals of these Spyware campaign are users in the VAE or surrounding regions. In the background, the spyware can collect the following data and exfiltration: user contacts, device information files such as chatback -ups, images, documents, audio and video, among other things. ESET findings suggest that the Tospy campaign probably started in mid-2022.
“Users must remain vigilant when downloading apps from unofficial sources and avoid making installation of unknown origin, as well as when installing apps or add-ons outside of official app stores, in particular those claiming to improve trusted services,” advises Štefanko.
For a more detailed analysis and technical breakdown, view Android/Spy. Prospy and Android/Spy.try The latest blog post from ESET Research, “New Spyware campaigns are aimed at privacy-conscious Android users in the VAE”On WeliveSecurity.com. Make sure you follow ESET research on Twitter (today known as X)” ExtingyAnd Mastodon For the latest news from ESET research.
About ESET
Eset® Offers advanced cyber security to prevent attacks before they take place. By combining the power of AI and human expertise, ESET remains for emerging global cyber threats, both known and unknown – to secure companies, critical infrastructure and individuals. Whether it is endpoint, cloud or mobile protection, our AI-Native, Cloud-first solutions and services remain very effective and easy to use. ESET technology includes robust detection and response, ultra security coding and multifactor authentication. With 24/7 real -time defense and strong local support, we keep users safe and companies without interruption. The ever-evolving digital landscape requires a progressive approach to security: ESET is dedicated to research of world class and powerful threat information, supported by R&D centers and a strong worldwide network. For more information, visit http://www.eset.com Or follow our Social media, podcasts and blogs.
