Researchers have discovered new spyware embedded in fake messaging apps being used to target people in the United Arab Emirates.

The cybersecurity firm ESET said Thursday its experts found two Android spyware campaigns, dubbed ProSpy and ToSpy, which pose as Signal and ToTok — a free messaging and calling app that originated in the UAE. 

The spyware is installed through fake websites and app stores, and it allows sensitive data files, contacts, chat backups and media to be stolen. 

It also reloads the authentic apps in order to make itself look legitimate, ESET said in a blog post.

The detections in the UAE and the use of phishing and fake app stores to carry out the attacks suggest “regionally focused operations with strategic delivery mechanisms,” ESET said in a press release. Once installed, both types of spyware are persistent.

Command-and-control servers discovered by the researchers suggest the ToSpy campaign is ongoing.

The apps containing the spyware can only be installed manually via third-party websites, according to ESET researcher Lukáš Štefanko. One of the websites pushing ToSpy malware posed as the Samsung Galaxy Store, he said. 

ESET detected the ToSpy malware in June and believes it dates back to 2022. Researchers found four “deceptive distribution websites” posing as the app.

The ProSpy campaign was also detected by researchers in June and is believed to have begun in 2024. 

The fake websites distributing ProSpy use malicious Android Application Packages (APK) “posing as improvements,” ESET said.