Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ToSpy and ProSpy UAE spyware distribution campaign

Campaign
First reported
Last updated
Happening score
H score 40
2 unique sources, 2 articles

Summary

Hide ▲

ESET identified two Android spyware campaigns, ProSpy and ToSpy, that impersonated Signal and ToTok with fake upgrades and plugins to steal sensitive data from users in the United Arab Emirates. The malware used spoofed websites and app-download paths, requested messenger-like permissions, exfiltrated contacts, SMS, files, app lists, and ToTok backup files, and used persistence tricks such as AlarmManager, foreground services, and BOOT_COMPLETED. ESET said ProSpy may have been active since at least 2024, while ToSpy may date to 2022.

Related Happenings

TrickMo Android banking trojan variant with TON C2 and network pivots

Malware Activity
First: 12.05.2026 15:50 Last: 12.05.2026 15:50 Sources 1

About this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...

Open Happening

TrickMo Android banking malware adds TON-based covert command-and-control

Malware Activity
First: 11.05.2026 12:03 Last: 11.05.2026 12:03 Sources 1

About this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...

Open Happening

BirdCall Android spyware variant

Malware Activity
First: 05.05.2026 12:04 Last: 05.05.2026 12:04 Sources 1

About this happening: The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...

Open Happening

MiningDropper (BeatBanker) modular Android payload framework with encrypted staging

Technical Analysis
First: 24.04.2026 14:48 Last: 24.04.2026 14:48 Sources 1

About this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...

Open Happening

Nexcorium Mirai botnet activity on TBK DVR devices

Malware Activity
First: 18.04.2026 09:01 Last: 18.04.2026 09:01 Sources 1

About this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...

Open Happening

Timeline

  1. 02.10.2025 12:00 3 articles · 7mo ago

    ToSpy and ProSpy UAE campaign disclosed

    Initial Disclosure

    Android spyware campaigns in the UAE use phishing sites and fake app-download paths to masquerade ToSpy and ProSpy as the ToTok app, with ProSpy also imitating Signal. The campaigns have been active since 2022 for ToSpy and since 2024 for ProSpy, request invasive permissions, and exfiltrate device information, contacts, SMS histories, and files to attacker-controlled servers; Google says Android users are protected by Google Play Protect.

    Show sources
    Open in new tab