Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ProSpy and ToSpy Android spyware activity targeting U.A.E. users

Malware Activity
First reported
Last updated
Happening score
H score 33
2 unique sources, 2 articles

Summary

Hide ▲

ESET identified ProSpy and ToSpy, two Android spyware campaigns that impersonated Signal and ToTok to steal sensitive data from users in the United Arab Emirates. The malicious apps were delivered through fake websites and spoofed store pages, including lures for a Signal Encryption Plugin and a ToTok Pro app, then requested contacts, SMS, files, device information, installed apps, and ToTok backup files. The spyware also used persistence methods such as AlarmManager, a foreground service, and BOOT_COMPLETED to stay on infected devices. ESET said ProSpy may have been active since at least 2024, while ToSpy may date back to 2022 and is still continuing.

Related Happenings

BTMOB Android RAT no-code builder malware activity

Malware Activity
First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....

Open Happening

Trapdoor Android malvertising and ad-fraud campaign

Campaign
First: 19.05.2026 19:38 Last: 19.05.2026 19:38 Sources 1

About this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...

Open Happening

TrickMo Android banking trojan variant with TON C2 and network pivots

Malware Activity
First: 12.05.2026 15:50 Last: 12.05.2026 15:50 Sources 1

About this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...

Open Happening

BirdCall Android spyware variant

Malware Activity
First: 05.05.2026 12:04 Last: 05.05.2026 12:04 Sources 1

About this happening: The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...

Open Happening

Mirax Android banking trojan with residential proxy nodes

Malware Activity
First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...

Open Happening

Timeline

  1. 02.10.2025 12:24 1 articles · 7mo ago

    ToSpy campaign likely begins via fake ToTok sites

    Campaign Scope Update

    A ToTok-impersonating Android spyware campaign likely began on June 30, 2022, using fake websites to distribute malicious APKs that establish persistent access on compromised devices and steal sensitive data from users in the U.A.E.

    Show sources
    Open in new tab
  2. 02.10.2025 12:24 3 articles · 7mo ago

    ProSpy and ToSpy Android spyware campaigns disclosed

    Initial Disclosure

    Two Android spyware campaigns, ProSpy and ToSpy, target users in the U.A.E. by impersonating Signal and ToTok through fake websites and social engineering. The malicious apps are sideloaded as APKs from third-party sites outside official app stores, request access to contacts, SMS messages, files, and device information, and maintain persistence while exfiltrating data.

    Show sources
    Open in new tab