ProSpy & ToSpy Targeting Android Users via App Masquerading

According to The Hacker News, cybersecurity researchers at ESET uncovered two new Android spyware campaigns—ProSpy and ToSpy—that impersonate secure messaging apps such as Signal and ToTok to infect users’ phones. These malicious apps were not distributed through Google Play but through fake websites that mimic official download pages or app stores, luring victims—mostly in the United Arab Emirates—into manually installing infected APKs.

Once granted permissions, the malware silently exfiltrates sensitive data including contacts, SMS messages, photos, and lists of installed apps. ProSpy disguises itself as “Play Services” after installation to blend into the system, while ToSpy specifically targets ToTok chat backups and transmits them to command-and-control servers.

Researchers observed that the apps even redirect users to legitimate versions of Signal or ToTok after installation to conceal malicious activity. The campaigns demonstrate how attackers exploit the trust users place in encrypted messaging apps, as well as the persistent dangers of sideloading APKs from unverified sources.