Two distinct spyware campaigns, dubbed ProSpy and ToSpy, are deceiving Android users by posing as legitimate messaging applications. The malicious actors distribute fake "Signal Encryption Plugins" and a "Pro" version of ToTok through fraudulent websites designed to look like official sources. Once installed, these applications request extensive permissions to access contacts, messages, and files on the device.
The ProSpy malware steals a wide range of sensitive data, including SMS texts, contact lists, and various file types, while disguising itself with the "Play Services" icon to avoid detection. The ToSpy variant specifically targets ToTok chat backup files and other media, encrypting the stolen information before exfiltration. Both families employ sophisticated persistence methods, such as using alarm managers and foreground services to automatically restart if stopped.
Researchers from ESET believe the ProSpy campaign began in 2024, while ToSpy may have originated as early as 2022. These operations primarily target users in the United Arab Emirates. To protect themselves, Android users are strongly advised to download applications only from official app stores and to keep the Play Protect security feature enabled on their devices.
Read more...