The IT Nerd

ESET researchers have uncovered two Android spyware campaigns targeting individuals interested in secure communication apps, namely Signal and ToTok. These campaigns distribute malware through deceptive websites and social engineering and appear to target residents of the United Arab Emirates (UAE). ESET’s investigation led to the discovery of two previously undocumented spyware families: Android/Spy.ProSpy impersonates upgrades or plugins for the Signal app and the controversial and discontinued ToTok app, and Android/Spy.ToSpy impersonates the ToTok app. The ToSpy campaigns are ongoing, as suggested by C&C servers that remain active.

ESET Research discovered the ProSpy campaign in June 2025, and it has likely been ongoing since 2024. ProSpy is being distributed through three deceptive websites designed to impersonate communication platforms Signal and ToTok. These sites offer malicious APKs posing as improvements, disguised as a Signal Encryption Plugin and ToTok Pro. The use of a domain name ending in the substring ae.net may suggest that the campaign targets individuals residing in the United Arab Emirates, as AE is the two-letter country code for the UAE.

During the investigation, ESET discovered five more malicious APKs using the same spyware codebase, posing as an enhanced version of the ToTok messaging app under the name ToTok Pro. ToTok, a controversial free messaging and calling app developed in the United Arab Emirates, was removed from Google Play and Apple’s App Store in December 2019 due to surveillance concerns. Given that its user base is primarily located in the UAE, it is likely that ToTok Pro may be targeting users in this region, who may be more liable to download the app from unofficial sources in their own region.

Upon execution, both malicious apps request permissions to access contacts, SMS messages, and files stored on the device. If these permissions are granted, ProSpy starts exfiltrating data in the background. The Signal Encryption Plugin extracts device information, stored SMS messages, and the contact list, and it exfiltrates other files – such as chat backups, audio, video, and images.

In June 2025, ESET telemetry systems flagged another previously undocumented Android spyware family actively distributed in the wild, originating from a device located in the UAE. ESET labeled the malware Android/Spy.ToSpy. Later investigation revealed four deceptive distribution websites impersonating the ToTok app. Given the app’s regional popularity and the impersonation tactics used by the threat actors, it is reasonable to speculate that the primary targets of this spyware campaign are users in the UAE or surrounding regions. In the background, the spyware can collect and exfiltrate the following data: user contacts, device information files such as chat backups, images, documents, audio, and video, among others. ESET findings suggest that the ToSpy campaign likely began in mid-2022.

For a more detailed analysis and technical breakdown of Android/Spy.ProSpy and Android/Spy.ToSpy, check out the latest ESET Research blog post, “New spyware campaigns target privacy-conscious Android users in the UAE” on WeLiveSecurity.com.

ESET today released a new and improved version of its free ESET Basic Cybersecurity Awareness Training. The revamped Basic course introduces an immersive storyline, interactive modules, and refreshed content designed to empower employees to be the first line of defence and help organizations of all sizes reduce employee-related cyber risks. 

For companies that need to track course completions or require training that meets HIPAA, PCI, SOX, GDPR, CCPA, and cyber insurance compliance requirements, ESET offers a comprehensive 90-minute Premium Cybersecurity Awareness Training. Re-released last fall, the premium course, “Digital Shadows: Cryptic Chronicles,” offers dozens of modules, unlimited phishing simulation tests, dashboards for administrators to track learners’ status, a customizable training portal, reporting and course completion certificates, engaging gamification, and more.

The updated Basic course places employees in the role of a cyber investigator at NetDetect, a fictional cybersecurity team tasked with helping organizations recover from breaches and fortify defenses. Learners are immediately drawn into a mission supporting EVX, an electric vehicle company whose groundbreaking battery technology has made it a target for cybercriminals. Guided by a storyline, employees analyze a breach, uncover risky behaviors, and put protective practices into action. Modules cover key topics, including creating and managing strong passwords, safeguarding email and spotting phishing attempts, protecting against malware, identifying personalized attacks, and staying secure while working online.

This October, the launch coincides with the start of Cybersecurity Awareness Month. Over the last two decades, Cybersecurity Awareness Month has grown into a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions to reduce online risk, and generate discussion on cyber threats on a national and global scale. 

ESET has also launched a Cybersecurity Awareness Kit today, which includes access to the free ESET Cybersecurity Awareness Training, ESET’s 2025 H1 Threat Report, and a free 30-day business trial of ESET’s full-featured security solution. On Oct. 23, consumers can also learn about the real-world applications and vulnerabilities of facial recognition technology from ESET’s Webinar, The Rise and Risk of Facial Recognition. To explore these resources, visit https://www.eset.com/us/business/cybersecurity-awareness-month-kit/.

To learn more about ESET Cybersecurity Awareness Training – Basic and Premium offerings, visit https://www.eset.com/us/business/cybertraining/.