ProSpy and ToSpy Android spyware activity targeting U.A.E. users
Malware Activity
Summary
Hide ▲
Show ▼
ESET identified ProSpy and ToSpy, two Android spyware campaigns that impersonated Signal and ToTok to steal sensitive data from users in the United Arab Emirates. The malicious apps were delivered through fake websites and spoofed store pages, including lures for a Signal Encryption Plugin and a ToTok Pro app, then requested contacts, SMS, files, device information, installed apps, and ToTok backup files. The spyware also used persistence methods such as AlarmManager, a foreground service, and BOOT_COMPLETED to stay on infected devices. ESET said ProSpy may have been active since at least 2024, while ToSpy may date back to 2022 and is still continuing.
Related Happenings
Openew[.]app cloaked malware download portal
Malware Activity
H score26
First: 29.05.2026 21:21
Last: 29.05.2026 21:21
Sources 1
About this happening:
The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...
Openew[.]app cloaked malware download portal
Malware ActivityAbout this happening: The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
H score25
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
BTMOB Android RAT no-code builder malware activity
Malware Activity
H score28
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
Trapdoor Android malvertising and ad-fraud campaign
Campaign
H score39
First: 19.05.2026 19:38
Last: 19.05.2026 19:38
Sources 1
About this happening:
The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Trapdoor Android malvertising and ad-fraud campaign
CampaignAbout this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Timeline
-
02.10.2025 12:24 1 articles · 8mo ago
ToSpy campaign likely begins via fake ToTok sites
Campaign Scope UpdateA ToTok-impersonating Android spyware campaign likely began on June 30, 2022, using fake websites to distribute malicious APKs that establish persistent access on compromised devices and steal sensitive data from users in the U.A.E.
Show sources
- Warning: Beware of Android Spyware Disguised as Signal Encryption Plugin and ToTok Pro — thehackernews.com — 02.10.2025 12:24
-
02.10.2025 12:24 3 articles · 8mo ago
ProSpy and ToSpy Android spyware campaigns disclosed
Initial DisclosureTwo Android spyware campaigns, ProSpy and ToSpy, target users in the U.A.E. by impersonating Signal and ToTok through fake websites and social engineering. The malicious apps are sideloaded as APKs from third-party sites outside official app stores, request access to contacts, SMS messages, files, and device information, and maintain persistence while exfiltrating data.
Show sources
- Warning: Beware of Android Spyware Disguised as Signal Encryption Plugin and ToTok Pro — thehackernews.com — 02.10.2025 12:24
- Warning: Beware of Android Spyware Disguised as Signal Encryption Plugin and ToTok Pro — thehackernews.com — 02.10.2025 12:24
- Android spyware campaigns impersonate Signal and ToTok messengers — www.bleepingcomputer.com — 02.10.2025 13:53