ProSpy
ProSpy is an Android spyware family, detected by ESET as Android/Spy.ProSpy, that has been active since at least 2024 and was discovered in June 2025. It was distributed outside official app stores via fake websites and phishing pages, primarily targeting users in the United Arab Emirates. ProSpy impersonated a nonexistent Signal Encryption Plugin and a fake ToTok Pro application; reporting also states it masqueraded as other communications apps including WhatsApp, Zoom, and Botim in related campaigns. Known distribution domains mentioned in the reporting include signal.ct[.]ws, encryption-plug-in-signal.com-ae[.]net, and totok-pro[.]io.
Once installed, ProSpy requests access to contacts, SMS messages, and files stored on the device, then exfiltrates sensitive data including device information, public IP address, SMS messages, contact lists, installed applications, and files such as documents, archives, images, audio, and video. Reported local staging filenames include contacts_list.json, device_info.json, and sms_list.json. In broader reporting on associated espionage activity, ProSpy was described as capable of stealing chats, files, media, SMS messages, contacts, and app backups, and in some accounts as providing full device control.
The malware uses persistence mechanisms including foreground services, AlarmManager restarts, and BOOT_COMPLETED receivers. The Signal-themed variant could change its icon and label to Play Services using Android activity-alias functionality, launch the legitimate Signal app, or redirect users to signal.org if Signal was not installed. The fake ToTok Pro variant redirected users to the official ToTok download page and later launched the real ToTok app to reduce suspicion.
Multiple reports link ProSpy to espionage targeting journalists, activists, opposition figures, and some government-linked individuals across the Middle East and North Africa, with confirmed or likely targeting in the UAE and reporting also naming Egypt, Lebanon, and Bahrain. Lookout attributed malware used in this broader campaign to the South Asian threat group BITTER, also known as T-APT-17 and APT-Q-37, citing code similarities between ProSpy and the earlier Dracarys malware, though ESET stated attribution for the ProSpy campaign itself remained unknown. Researchers assessed the activity as surveillance-oriented and possibly hack-for-hire. CISA later highlighted ProSpy among spyware campaigns abusing trust in messaging applications to target high-value individuals.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This joint research, and an October 2025 report from ESET, reveals that Android users are tricked into downloading any of these malware: ProSpy or ToSpy. Both are spyware... Researchers explain that ProSpy is a feature-rich spyware developed in Kotlin, and out of the 11 ProSpy samples obtained, the earliest was from August 2024.
This joint research, and an October 2025 report from ESET, reveals that Android users are tricked into downloading any of these malware: ProSpy or ToSpy. Both are spyware... Researchers explain that ProSpy is a feature-rich spyware developed in Kotlin, and out of the 11 ProSpy samples obtained, the earliest was from August 2024.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniquesThe spyware is installed through fake websites and app stores... The apps containing the spyware can only be installed manually via third-party websites, according to ESET researcher Lukáš Štefanko.
Distribution methods include phishing domains designed to mimic legitimate app marketplaces, including a fake Samsung Galaxy Store.
The operator of the spyware campaign distributed the malicious APK files through web pages that impersonated the official Signal website ... and the Samsung Galaxy Store.
Researchers found that some targets were sent messages on LinkedIn or through iMessage, and some pretended to be from Apple Support.
Execution
3 techniquesAfter installation, ProSpy and ToSpy use Android persistence mechanisms, such as AlarmManager and boot receivers, to ensure continued operation even after device reboots.
Neither app appears in official app stores; victims have to manually install APK files from cloned websites or third-party pages designed to look like legitimate services.
Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services.
Persistence
3 techniquesAfter installation, ProSpy and ToSpy use Android persistence mechanisms, such as AlarmManager and boot receivers, to ensure continued operation even after device reboots.
After installation, ProSpy and ToSpy use Android persistence mechanisms, such as AlarmManager and boot receivers, to ensure continued operation even after device reboots.
To achieve persistence, both the spyware families run a foreground service that displays a persistent notification, use Android's AlarmManager to repeatedly restart the foreground service if it gets terminated, and automatically launch the necessary background services upon a device reboot.
Privilege Escalation
3 techniquesAfter installation, ProSpy and ToSpy use Android persistence mechanisms, such as AlarmManager and boot receivers, to ensure continued operation even after device reboots.
After installation, ProSpy and ToSpy use Android persistence mechanisms, such as AlarmManager and boot receivers, to ensure continued operation even after device reboots.
To achieve persistence, both the spyware families run a foreground service that displays a persistent notification, use Android's AlarmManager to repeatedly restart the foreground service if it gets terminated, and automatically launch the necessary background services upon a device reboot.
Stealth
1 techniqueCybersecurity researchers have discovered two Android spyware campaigns dubbed ProSpy and ToSpy that impersonate apps like Signal and ToTok to target users in the United Arab Emirates (U.A.E.).
Discovery
3 techniquesIf granted, the spyware collects device details, SMS messages, contact lists, installed app lists, and files, including chat backups.
It's also capable of exfiltrating device information.
If granted, the spyware collects device details, SMS messages, contact lists, installed app lists, and files, including chat backups.
Collection
1 techniqueThe spyware is installed through fake websites and app stores, and it allows sensitive data files, contacts, chat backups and media to be stolen.
Command and Control
1 techniqueAll collected data is encrypted with a hardcoded AES key, then sent to command and control servers.
Exfiltration
1 techniqueOnce installed, they continually exfiltrate sensitive data.
Other
1 techniqueThe operation features a combination of targeted spearphishing delivered through fake social media accounts and messaging applications leveraging persistent social engineering efforts... One of the victims... said he contacted Access Now after receiving a suspicious link from someone he’d been talking to about a job position.
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android spyware used in a spearphishing campaign. It is described as feature-rich, professionally developed in Kotlin, and capable of collecting and exfiltrating photos, audio, videos, SMS messages, contact lists, private documents, and backup files from other apps.
Android spyware capable of full device control, deployed in the campaign while disguised as legitimate messaging apps such as Signal and WhatsApp.
Android spyware used via deceptive websites impersonating trusted services. It can exfiltrate sensitive data such as contacts, SMS messages, device metadata, and local files.
Android spyware used in a likely hack-for-hire espionage campaign targeting journalists, activists, civil society members, and potentially government officials in the Middle East and North Africa.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.