Full Report
Two new spyware campaigns that researchers call ProSpy and ToSpy lured Android users with fake upgrades or plugins for the Signal and ToTok messaging apps to steal sensitive data. [...]
Analysis Summary
# Tool/Technique: ProSpy and ToSpy Spyware Campaigns
## Overview
Two distinct, previously undocumented Android spyware campaigns, dubbed **ProSpy** and **ToSpy**, were discovered targeting users, primarily believed to be in the United Arab Emirates. These campaigns utilize social engineering, impersonating popular messaging applications (Signal and ToTok) via fake updates or plugins, to lure victims into installing malicious APK files and stealing sensitive data from their devices.
## Technical Details
- Type: Malware family (Two distinct families: ProSpy and ToSpy)
- Platform: Android
- Capabilities: Data exfiltration (contacts, SMS, files, application lists), persistence mechanisms, impersonation.
- First Seen: ProSpy activity may date back to at least 2024. ToSpy activity may date back as far as 2022 (developer certificate created May 2022).
## MITRE ATT&CK Mapping
The identified functionalities align primarily with the **Collection** and **Persistence** tactics.
- **TA0009 - Collection**
- T1005 - Data from Local System
- T1005.001 - Data from User Folders (Contacts, SMS, Documents/Media)
- **TA0003 - Persistence**
- T1644 - Data from Local System
- T1644.003 - Persistent through System Boot (Use of BOOT_COMPLETED and AlarmManager)
## Functionality
### Core Capabilities
**ProSpy (Impersonating Signal):**
* Requests contacts, SMS, and file access permissions.
* Exfiltrates: Device information (hardware, OS, IP address), stored SMS texts, contact lists, files (audio, documents, images, videos), ToTok backup files, and installed application lists.
* **Stealth:** Uses the 'Play Services' icon and label on the home screen. Tapping the icon opens the info screen of a legitimate Google Play Service app.
* **Deceptive Execution:** Redirects users to the official download site if the legitimate application is missing.
**ToSpy (Impersonating ToTok):**
* Requests contact and storage access permissions.
* Exfiltrates: Documents, images, video, and ToTok chat backups (.ttkmbackup files).
* **Encryption:** Exfiltrates all collected data encrypted using AES in CBC mode.
* **Deceptive Execution:** Launches the *real* ToTok app if installed, or attempts to open the Huawei AppGallery/default browser to guide the user toward installing the legitimate ToTok app, maintaining an illusion of legitimacy.
### Advanced Features
**Shared Persistence Mechanisms (Both Families):**
1. **AlarmManager Abuse:** Uses the Android system API to automatically restart the spyware if it is killed by the system or user.
2. **Foreground Service:** Runs as a foreground service supported by a persistent notification, causing the system to treat it as a high-priority process.
3. **BOOT\_COMPLETED Broadcast:** Registers to receive this broadcast event, allowing the spyware to restart automatically upon device reboot without any user interaction.
## Indicators of Compromise
*Note: Specific IoCs were not extracted individually but ESET provided a comprehensive list shared on GitHub.*
- File Hashes: [Not detailed in article]
- File Names: Malicious APKs disguised as "Signal Encryption Plugin" or a "Pro variant of the ToTok app."
- Registry Keys: [Not applicable to standard Android analysis]
- Network Indicators: C2 domains were registered in May 2022 for the ToSpy campaign. (Specific domains/servers were not extracted but referenced the GitHub IoC list). *Defanged Example:* `signal[.]ct[.]ws`, `encryption-plug-in-signal[.]com-ae[.]net`, `store[.]latestversion[.]ai`, `store[.]appupdate[.]ai`.
- Behavioral Indicators: Requesting SMS/Contact/Storage permissions under the guise of a messenger update; persistent restarts via AlarmManager; execution of foreground services with constant notifications.
## Associated Threat Actors
Attribution remains inconclusive, but the campaigns show significant operational longevity (dating back to 2022 for ToSpy). The targeting focus suggests potential interest in users within the United Arab Emirates (UAE), as ToTok is associated with the UAE government.
## Detection Methods
- Signature-based detection: Utilizing known signatures for the specific ProSpy/ToSpy family hashes, once discovered.
- Behavioral detection: Monitoring for unauthorized requests for SMS/Contact/File permissions, unusual use of AlarmManager for process restarts, or the execution of foreground services without standard application behavior.
- YARA rules: [Not detailed in article, but implied possible via file analysis]
## Mitigation Strategies
- Download applications only from official repositories (Google Play Store) or directly from the verified publisher's website.
- Keep the Google Play Protect service active on the device to automatically disable known threats.
- Exercise extreme caution when prompted to install plugins or upgrades for existing applications outside of official app stores.
## Related Tools/Techniques
* Impersonation/Masquerading (General technique used to deliver the malware).
* Other Android spyware leveraging AlarmManager or BOOT\_COMPLETED for persistence.
* Spyware previously linked to ToTok (which was removed from app stores in 2019 due to spying allegations).