- ProSpy and ToSpy malware campaigns spoof Signal and ToTok to infect Android users
- Malware exfiltrates SMS, contacts, files, and disguises itself as Google Play Services
- Apps spread via third-party stores; users urged to stick to official app sources
Android users in the United Arab Emirates and the wider region are being targeted by two malicious campaigns which spoof known chat apps, Signal and ToTok, to distribute malware.
Security researchers at ESET said they started tracking the ProSpy and ToSpy campaigns in June 2025, but believe they could have started back in 2024.
The attackers created fake, non-existent Signal Encryption Plugins, and a Pro version of the ToTok app, to trick users into downloading and running the malware. Those that don’t spot the trick will end up losing sensitive information, since the campaign leverages on data exfiltration.
How to stay safe
Once installed, the malware requests access to SMS messages, files, and contacts lists, which it then exfiltrates, together with device information, backup files, and a list of other installed apps.
The Signal Encryption Plugin also renames itself to ‘Play Services’ upon installation, and changes its icon, to avoid being detected and removed. Also, tapping the icon brings up the info screen of a legitimate Google Play Service app.
Since these apps are being distributed through third-party app stores and custom websites, the best way to stay safe is to only download apps from reputable sources such as the official Google Play Store and the Apple App Store.
Signal is a popular and legitimate privacy-first chat application with roughly 70 million users worldwide. ToTok, on the other hand, has a more controversial history. The app was developed by a UAE company called G42, back in 2019. It offered free voice and video calls, positioning itself as an alternative to services like WhatsApp and Skype, which were restricted in the UAE.
However, ToTok was later removed from the Google Play Store and Apple’s App Store after investigations suggested it was being used as a surveillance tool by the UAE government, but it remains popular in the region.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You might also like
Source link Read More
- Klopatra malware steals banking and crypto data, even when screen is off
- Distributed via fake IPTV+VPN app, requests Accessibility permissions for full device control
- Uses Virbox, anti-debugging, and encryption to evade detection and analysis
Cybersecurity researchers Cleafy have discovered a new, powerful Android trojan capable of stealing money from bank apps, stealing crypto from hot wallets, and even using the device while the screen is off.
Klopatra, an Android malware apparently built by a Turkish threat actor, does not resemble anything that’s already out there, meaning the tool was likely built from scratch. It was first spotted in March 2025, and since then has experienced 40 iterations, meaning the group is actively working on and developing the malware.
Klopatra is being distributed through standalone, malicious pages, rather than Google’s Play Store. It uses a dropper called Modpro IP TV + VPN, which pretends to be an IPTV and VPN app. Once the dropper is installed, it deploys Klopatra which, as usual for malicious apps, requests Accessibility Services permissions.
Thousands of victims
These permissions allow hackers to simulate taps, read screen content, steal credentials, and control apps silently – among other things.
Besides stealing people’s money, data, and fiddling around the phone, Klopatra also has a list of hardcoded Android antivirus names, which it then cross-references with the device and attempts to disable.
The malware also goes an extra mile to avoid being detected and analyzed.
It uses Virbox, a legitimate software protection and licensing platform, that defends apps against privacy, reverse engineering, and unauthorized use.
In this case, Virbox was used to prevent cybersecurity researchers from reverse-engineering and analyzing the malware. Furthermore, it uses native libraries to bring its Java and Kotlin use to a minimum, and recently started using NP Manager string encryption.
The researchers said the malware comes with multiple anti-debugging mechanisms, runtime integrity checks, and the ability to detect when it’s running in an emulator, thus preventing researchers from dissecting it.
So far, at least 3,000 devices across Europe are infected, Cleafy said.
You might also like
Source link Read More
Joe Maring / Android Authority
TL;DR
- We’re seeing visual confirmation of Galaxy S26 Ultra’s upcoming Privacy Display feature.
- The leak corroborates the feature activates automatically in crowded spaces.
- It also suggests users will have the option to choose which aspects to restrict and which ones to allow.
The Galaxy S26 Ultra’s design may lack any radical changes, but the display is set to feature a significant upgrade that would make privacy-focused screen protectors obsolete. For the Ultra next year, Samsung is developing a built-in solution to dim the display or hide its contents in specific scenarios, which could represent a significant step forward from the existing anti-glare solution.
Last month, we learned about an upcoming Samsung feature, currently referred to as Private Display, which could block peeks from unwanted onlookers, especially at specific angles. What’s truly marvelous is that Privacy Display is integrated electronically, which means it can be toggled on or off, or its intensity set to different levels. More excitingly, Privacy Display may be triggered automatically in certain events, and we’re now seeing potential UI for this implementation.
Based on a purported One UI 8.5 leak by @achultra on X, the Galaxy S26 Ultra will enable an option for Privacy Display to activate automatically in crowded spots or public places. According to the shared screenshot, Privacy Display can be set to turn on automatically in spaces such as elevators or public transportation.
Don’t want to miss the best from Android Authority?
Additionally, Galaxy S26 Ultra users might also be able to choose what content is visible when Privacy Display is toggled on. Currently, there are options to view the screen lock options, including PIN, pattern, or password. You would also have the option to hide specific images with privacy protection enabled. Likewise, the feature extends to notifications and picture-in-picture.
We might see changes to the interface leading up to the actual launch. With a substantial number of references in One UI 8.5‘s code, we don’t suspect Samsung will drop it — unless there are any quality control issues. We also hope to learn more about its other capabilities as we approach the next Galaxy Unpacked event.
Thank you for being part of our community. Read our Comment Policy before posting.
Source link Read More