CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ToSpy and ProSpy spyware targeting UAE users

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Two spyware families, ToSpy and ProSpy, are targeting Android users in the UAE by masquerading as the ToTok app and Signal encryption plugins. These campaigns have been active since 2022 and 2024, respectively, and exploit the popularity and local trust of ToTok to infiltrate devices and exfiltrate sensitive data. ToTok, a messaging app developed by G42 and supported by the UAE government, was exposed as spyware in 2019 and removed from major app stores. Despite this, it continues to circulate outside official channels, providing cover for malicious actors. The spyware families request invasive permissions to steal device information, contacts, SMS messages, and various file types. Google Play Protect is designed to mitigate these threats, but users are still at risk if they download apps from untrusted sources. The spyware campaigns are distributed via fake websites and social engineering, establishing persistent access to compromised devices. The ProSpy campaign was discovered in June 2025 and has been ongoing since 2024, while the ToSpy campaign began on June 30, 2022, and is currently ongoing. The spyware families use deceptive websites masquerading as legitimate services to distribute malware. The spyware families exfiltrate device information, SMS messages, contact lists, files, and a list of installed applications. The spyware families use Android's AlarmManager to repeatedly restart the foreground service if it gets terminated. The spyware families automatically launch the necessary background services upon a device reboot.

Timeline

  1. 02.10.2025 12:00 3 articles · 6h ago

    ToSpy and ProSpy spyware targeting UAE users since 2022

    The spyware campaigns impersonate Signal and ToTok messaging apps to distribute malware. The spyware families use websites mimicking official Signal and ToTok sites to distribute malicious APKs. The spyware families exfiltrate data using AES encryption in CBC mode. ToSpy launches the real ToTok app if available on the device, otherwise redirects to the Huawei AppGallery. Both spyware families use three persistence mechanisms: AlarmManager, foreground services, and BOOT_COMPLETED broadcasts.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Oyster Malware Distributed via Fake Microsoft Teams Installers

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida.

Open in new tab

Discovery of MalTerminal Malware Leveraging GPT-4 for Ransomware and Reverse Shell

Researchers have identified MalTerminal, a malware that incorporates GPT-4 for generating ransomware code and reverse shells. This marks the earliest known instance of LLM-embedded malware. The malware was presented at the LABScon 2025 security conference. MalTerminal was likely a proof-of-concept or red team tool, never deployed in the wild. It includes Python scripts and a defensive tool called FalconShield. The use of LLMs in malware represents a new challenge for cybersecurity defenses. Additionally, threat actors are using LLMs to bypass email security layers by embedding hidden prompts in phishing emails. This technique deceives AI-powered security scanners, allowing malicious emails to reach users' inboxes. The emails exploit the Follina vulnerability (CVE-2022-30190) to deliver additional malware and disable Microsoft Defender Antivirus. AI-powered site builders are also being exploited to host fake CAPTCHA pages leading to phishing websites, stealing user credentials and sensitive information.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS). The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake GitHub repositories. These repositories impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.

Open in new tab

Brokewell Android malware campaign targets cryptocurrency users via fake TradingView ads

A malware campaign is using fake TradingView ads on Meta’s advertising platforms to distribute the Brokewell Android malware. The campaign, active since at least July 22, targets cryptocurrency users and seeks to steal sensitive data, gain remote control of devices, and bypass two-factor authentication. The malware is delivered via a malicious APK file hosted on a fake TradingView site. The Brokewell malware features a broad set of capabilities, including data theft, remote monitoring, and control of compromised devices. It can steal cryptocurrency wallets, bank account details, and Google Authenticator codes. The malware also records screens and keystrokes, activates the camera and microphone, and tracks device locations. It can intercept SMS messages, including banking and 2FA codes, and execute remote commands via Tor or Websockets. The campaign is part of a larger operation that previously targeted Windows users with Facebook ads impersonating well-known brands.

Open in new tab

Shamos Infostealer Targeting Mac Devices via ClickFix Attacks

A new infostealer malware named Shamos is targeting Mac devices through ClickFix attacks. The malware, developed by the COOKIE SPIDER group, steals data and credentials from web browsers, Keychain, Apple Notes, and cryptocurrency wallets. The attacks use malvertising and fake GitHub repositories to lure victims into executing shell commands that download and install the malware. Since June 2025, Shamos has attempted infections in over three hundred environments monitored by CrowdStrike. The malware uses anti-VM commands, AppleScript for reconnaissance, and creates persistence through a Plist file. Users are advised to avoid executing unknown commands and to seek help from trusted sources.

Open in new tab