"zip, application / x - rar - compressed, application / x - 7z - compressed, application / java - archive, application / vnd. android. package - archive, and others. images : image / *. others : any file not matching the categories above. - installed apps : list of all installed a…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
71%
"we discovered the prospy campaign in june 2025, but we believe it has been ongoing since 2024. we have seen prospy being distributed through three deceptive websites designed to impersonate communication platforms signal and totok. these sites offer malicious apks posing as impro…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
59%
"activity – potentially coming from users, security vendors, or the threat actors. table 1. samples found on virustotal given the app ’ s regional popularity and the impersonation tactics used by the threat actors, it is reasonable to speculate that the primary targets of this spy…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1048Exfiltration Over Alternative Protocol
56%
"launches the official totok app, making it appear as though the user is simply using the legitimate app. in the background, the spyware can collect and exfiltrate the following data : - user contacts ; - files with specific extensions such as. pdf,. ttkmbackup,. doc,. docx,. xls,…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1134.001Token Impersonation/Theft
43%
"if these permissions are granted, prospy starts exfiltrating data in the background. the steps we describe next are taken in order for the apps to appear legitimate and prevent the victim from uninstalling them. totok pro spyware in the case of the totok pro distribution vector, …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1567Exfiltration Over Web Service
40%
"launches the official totok app, making it appear as though the user is simply using the legitimate app. in the background, the spyware can collect and exfiltrate the following data : - user contacts ; - files with specific extensions such as. pdf,. ttkmbackup,. doc,. docx,. xls,…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1134Access Token Manipulation
36%
"the malicious totok app asks for permissions to access contacts and device storage, falsely presenting the permissions as a requirement for the app to function properly. these permissions are, however, critical for the operation of tospy, enabling it to access sensitive data. onc…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1053.005Scheduled Task
31%
"post request. figure 18 shows the decompiled code of the malicious method responsible for victim data exfiltration. the hardcoded key is also used to decrypt hardcoded strings within the app, such as the list of file extensions and c & c server addresses. the same key is used for…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
ESET researchers have discovered campaigns distributing spyware disguised as Android Signal and ToTok apps, targeting users in the United Arab Emirates