Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

ToSpy

ToSpy is an Android spyware family, detected by ESET as Android/Spy.ToSpy, that impersonates the ToTok messaging application and has been used in a long-running campaign primarily targeting users in the United Arab Emirates. The malware is distributed via deceptive third-party websites rather than official app stores, including fake ToTok download pages and at least one site mimicking the Samsung Galaxy Store. Available reporting indicates the campaign was first detected in June 2025, but samples, certificate metadata, domain registrations, and VirusTotal uploads trace activity back to mid-2022, and parts of the infrastructure remained active at the time of reporting.

Once installed, ToSpy requests access to contacts and device storage, establishes persistence using a foreground service, AlarmManager restarts, and a BOOT_COMPLETED receiver, and then waits for command-and-control instructions before exfiltrating data. Reported collection includes contacts, basic device information, and files such as documents, spreadsheets, presentations, text files, audio, images, videos, CSV/VCF data, and ToTok backup files with the .ttkmbackup extension, indicating interest in ToTok chat history or app data. Some reporting also states it can steal chats, files, media, SMS messages, contacts, and app backups in broader campaign context. ToSpy checks for updates via spiralkey[.]co/totok_update/totokversion.php and may download an APK from spiralkey[.]co/totok_update/totok_pro.apk. Exfiltrated data is reported as encrypted with AES-CBC using the hardcoded key p2j8w9savbny75xg and sent via HTTPS POST requests.

The malware uses social engineering to appear legitimate: if the real ToTok app is present, it may show fake update screens and launch the legitimate app; if not present, it may redirect the user to Huawei AppGallery, a browser page, or the official ToTok download source. ESET reported six samples sharing the same malicious codebase and developer certificate DE90F6899EEC315F4ED05C2AA052D4FE8B71125A. Active or referenced infrastructure includes store.appupdate[.]ai and spiralkey[.]co. ToSpy is frequently discussed alongside the related Android spyware family ProSpy, but ESET tracks them separately due to different infrastructure and delivery methods. Attribution to a specific threat actor is not established in the source content, although some broader reporting links the surrounding espionage campaign involving ProSpy and ToSpy to BITTER; this linkage is not conclusively established for ToSpy alone.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

18 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

4 techniques
T1189Drive-by CompromiseEvidence2

The spyware is installed through fake websites and app stores... The apps containing the spyware can only be installed manually via third-party websites, according to ESET researcher Lukáš Štefanko.

T1566PhishingEvidence3

Neither app appears in official app stores; victims have to manually install APK files from cloned websites or third-party pages designed to look like legitimate services.

T1566.002Spearphishing LinkEvidence3

The operator of the spyware campaign distributed the malicious APK files through web pages that impersonated the official Signal website ... and the Samsung Galaxy Store.

T1566.003Spearphishing via ServiceEvidence1

Researchers found that some targets were sent messages on LinkedIn or through iMessage, and some pretended to be from Apple Support.

Execution

3 techniques
T1053Scheduled Task/JobEvidence3

Both spyware families use three persistence mechanisms on infected devices: Abuse of the ‘AlarmManager’ Android system API to restart automatically if killed.

T1204User ExecutionEvidence2

Victims are prompted to manually download and install APK files, often bypassing Google Play safeguards.

T1204.002Malicious FileEvidence2

The fake websites distributing ProSpy use malicious Android Application Packages (APK) “posing as improvements,” ESET said.

Persistence

3 techniques
T1053Scheduled Task/JobEvidence3

Both spyware families use three persistence mechanisms on infected devices: Abuse of the ‘AlarmManager’ Android system API to restart automatically if killed.

T1547Boot or Logon Autostart ExecutionEvidence2

Registers to receive BOOT_COMPLETED broadcast events so it can restart the spyware upon device reboot without user interaction.

T1547.001Registry Run Keys / Startup FolderEvidence1

To achieve persistence, both the spyware families run a foreground service that displays a persistent notification, use Android's AlarmManager to repeatedly restart the foreground service if it gets terminated, and automatically launch the necessary background services upon a device reboot.

Privilege Escalation

3 techniques
T1053Scheduled Task/JobEvidence3

Both spyware families use three persistence mechanisms on infected devices: Abuse of the ‘AlarmManager’ Android system API to restart automatically if killed.

T1547Boot or Logon Autostart ExecutionEvidence2

Registers to receive BOOT_COMPLETED broadcast events so it can restart the spyware upon device reboot without user interaction.

T1547.001Registry Run Keys / Startup FolderEvidence1

To achieve persistence, both the spyware families run a foreground service that displays a persistent notification, use Android's AlarmManager to repeatedly restart the foreground service if it gets terminated, and automatically launch the necessary background services upon a device reboot.

Stealth

1 technique
T1036MasqueradingEvidence6

Both campaigns trick users into side loading malicious apps by appearing to be a Signal or ToTok upgrade or by outright impersonating the ToTok app.

Discovery

3 techniques
T1033System Owner/User DiscoveryEvidence1

If granted, the spyware collects device details, SMS messages, contact lists, installed app lists, and files, including chat backups.

T1082System Information DiscoveryEvidence1

It's also capable of exfiltrating device information.

T1518Software DiscoveryEvidence1

If granted, the spyware collects device details, SMS messages, contact lists, installed app lists, and files, including chat backups.

Collection

2 techniques
T1005Data from Local SystemEvidence5

The rogue ProSpy apps are designed to request permissions to access contacts, SMS messages, and files stored on the device.

T1213Data from Information RepositoriesEvidence1

ToSpy specifically looks for .ttkmbackup files, the extension used to store ToTok backups, suggesting a targeted interest in extracting chat histories.

Command and Control

1 technique
T1071Application Layer ProtocolEvidence1

All collected data is encrypted with a hardcoded AES key, then sent to command and control servers.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence3

Once installed, they continually exfiltrate sensitive data.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence1

ESET's report notes that all exfiltrated data is first encrypted using the AES symmetric encryption algorithm in CBC mode.

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
uri●●●●●●●●●●●●View more in app9 months ago
ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

18 SOURCESView more in app
hackreadNews
Apr 13, 2026
BITTER APT Uses Signal, Google, and Zoom Lures to Spread ProSpy Spyware

Android spyware delivered through social engineering and malicious links or chat-based lures. It is described as capable of monitoring user activity and stealing photos, audio, videos, SMS messages, contact lists, private files, and app backup files.

Read more
the hacker newsNews
Apr 9, 2026
Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region

Spyware deployed through deceptive websites impersonating messaging applications to target victims in the U.A.E.

Read more
register securityNews
Nov 25, 2025
CISA warns spyware crews are breaking into Signal and WhatsApp accounts

ToSpy is Android spyware that impersonates legitimate apps to exfiltrate chat data, recordings, and files from compromised devices.

Read more
the hacker newsNews
Nov 25, 2025
CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users

Android spyware that impersonates legitimate apps to gain persistent access and steal data from targeted devices.

Read more
+14 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping18

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.