Full Report
The campaign involves apps posing as Signal and the defunct ToTok, according to ESET. The post Android spyware disguised as legitimate messaging apps targets UAE victims, researchers reveal appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: ProSpy & ToSpy Spyware
## Overview
ProSpy and ToSpy are two distinct families of Android spyware discovered by ESET campaigns targeting residents of the United Arab Emirates (UAE). These malware variants masquerade as legitimate or enhanced messaging applications, specifically impersonating Signal and the defunct ToTok messaging app, to trick users into manual installation. Their primary objective is data exfiltration from infected devices.
## Technical Details
- Type: Malware family (Spyware)
- Platform: Android
- Capabilities: Data exfiltration (contacts, SMS, files, device info, audio, video, images, chat backups), persistence via manual sideloading.
- First Seen: Investigation noted discovery in June (of the reporting year), but believe campaigns date back to the previous year.
## MITRE ATT&CK Mapping
Since the primary mechanism described is social engineering combined with mobile application deployment for data theft, the following tactics and techniques apply:
- **TA0001 - Initial Access**
- T1401 - ****Mobile: Compromise Software Supply Chain** (via fake apps distributed outside official stores)
- **TA0010 - Exfiltration**
- T1041 - **Data Staged** (collecting various data types before sending)
- **TA0009 - Collection**
- T1428 - **Data from Local System** (accessing contacts, SMS, stored files, audio, video, images)
## Functionality
### Core Capabilities
- **Impersonation:** Posing as Signal or ToTok (specifically "ToTok Pro").
- **Sideloading Requirement:** Malware is not available in official app stores; requires manual installation from third-party websites.
- **Permission Acquisition:** Requests broad permissions upon installation, including access to contacts, text messages, and stored files.
- **Data Exfiltration:** Steals collected data plus device information, audio recordings, video recordings, images, and chat backups.
### Advanced Features
- **Targeted Delivery:** Evidence suggests a regional focus on the UAE, utilizing phishing and fake app stores (one site mimicked the Samsung Galaxy Store).
- **Evasion:** Utilizes social engineering centered around widely used or regionally popular communication tools.
## Indicators of Compromise
- File Hashes: [Not specified in the article]
- File Names: [The article mentions the malicious apps posed as Signal and ToTok Pro]
- Registry Keys: [Not specified in the article, likely N/A for Android specifics not detailed]
- Network Indicators: [Distribution utilized domains ending in "ae.net" for targeting context, but specific C2 IPs/domains are not provided]
- Behavioral Indicators: Requesting excessive permissions related to SMS, contacts, and media access upon installation of a messaging app; installation occurring via sideloading from non-official sources.
## Associated Threat Actors
- [Not explicitly named, but the targeting focus on UAE residents and the context of ToTok being a known UAE state surveillance tool suggest state-sponsored or state-affiliated actors.]
## Detection Methods
- Signature-based detection: [Requires signatures based on known hashes or package names of the malware variants, which are not provided.]
- Behavioral detection: Monitoring for applications installed outside of official sources that immediately request high-privilege access to communications and media; unusual data transfers from the device.
- YARA rules: [Not specified in the article]
## Mitigation Strategies
- Prevention: Only install applications from official, verified sources (Google Play Store).
- Hardening recommendations: Scrutinize app permissions requested upon installation, especially for simple communication utilities; educate users about the dangers of sideloading apps from third-party websites or phishing links.
## Related Tools/Techniques
- ToTok (The legitimate app itself has a history of being reported as a spying tool for the UAE government).
- Previous ESET findings on fake messaging apps (WhatsApp/Telegram copycats distributing malware).
- BadBazaar espionage code (mentioned in context of other fake Signal/Telegram malware).