New Spyware Campaigns Target Privacy-Conscious Android Users in the UAE

    Tuesday, October 14, 2025 In: Threat Research Print

    Date: 10/14/2025

    Severity: Medium

    Summary

    Two new Android spyware campaigns, ProSpy and ToSpy, are targeting privacy-conscious users in the UAE by impersonating secure messaging apps like Signal and ToTok. Distributed via fake websites and phishing, these spyware apps steal sensitive data, including chat backups, and are not found on official app stores. The campaigns are ongoing, with active C&C servers and region-specific targeting.

    Indicators of Compromise (IOC) List

    URLs/Domains

    noblico.net

    ai-messenger.co

    spiralkey.co

    store.latestversion.ai

    store.appupdate.ai

    totokupdate.ai

    app-totok.io

    signal.ct.ws

    sgnlapp.info

    encryption-plug-in-signal.com-ae.net

    totokapp.info

    totok-pro.io

    IP Address

    86.105.18.13

    185.7.219.77

    152.89.29.73

    5.42.221.106

    152.89.29.78

    185.140.210.66

    176.123.7.83

    185.27.134.222

    185.225.114.70

    94.156.128.159

    94.156.175.105

    103.214.4.135

    Hash : 

    75ce04f397c4df2e6970b01d92b013ca

    c13a910fe908f0ad961da304a20f1033

    aecfbbbdbdf62aa91ac67a41fcf497f1

    6bf018d5bdd9775cbe72d05a046b0b9c

    fa81ea64592330092893fa785d310e86

    7ffb3ffc02824c481e2f4f5d18ae2e4e

    4a680eedd23fff5ae36ec8c774b6310a

    817ad9775cb923dad7b14fc41911703b

    2592cd3458c6a5c7139f9a3fa0068071

    a1684963eb36b976c6e14872e667d1cd

    5231c773b220d88569953847944f30df

    c6169f902fdc713930d7f38e443271b0

    03FE2FCF66F86A75242F6112155134E66BC586CB

    B22D58561BB64748F0D2E57B06282D6DAF33CC68

    BDC16A05BF6B771E6EDB79634483C59FE041D59B

    DB9FE6CC777C68215BB0361139119DAFEE3B3194

    DE148DDFBF879AB2C12537ECCCDD0541A38A8231

    CE378AE427E4BD70EAAED204C51811CD74F9A294

    7EFEFF53AAEBF4B31BFCC093F2332944C3A6C0F6

    154D67F871FFA19DCE1A7646D5AE4FF00C509EE4

    43F4DC193503947CB9449FE1CCA8D3FEB413A52D

    579F9E5DB2BEFCCB61C833B355733C24524457AB

    80CA4C48FA831CD52041BB1E353149C052C17481

    FFAAC2FDD9B6F5340D4202227B0B13E09F6ED031

    e18683bc061e888f158c9a3a7478615df2d7daae1952a072d7f549cd1c1e326a

    24e3d017c22fe89c63334a3c7f26b8dafaafaf16830d0ea2f8bc9d6eb42f77cd

    4ec51c329e8dab681bc6fb89d8c25021ed2ad9949bd16391a838bde8e56540fd

    dc55df39a7824a455690022b373875d3eb7680c1b961efe38d73c7fa2e57d6bc

    a6a6667d99d6d8dced329ce6e77c172a3b6c20cc67b18938b82fa0c1401c47d5

    80acf871a81bf657e632dd7699e7bdfa32aba9485a804fd7de39659cd5c21d89

    506e9bc94341137bdf835baa7ace980d4c9125583dd6b108d6225a07b09e78bf

    42f28501f3e6be38c0ce4ff2a5bfa2dfe3c56f99ed81804de54cba3bc26a5025

    70a44a185497df02ab80b94ec0731ea361ac54858b064c5f44a72272768a30b1

    021afbc4c9ae7c4bc7499dd38c9858ba7b717d99596a41dcd5d371c93a52c2b4

    72419339f73fc6e62774c70085b75b3440d3268db2baa9946153d0e06445506b

    545b228aeb9e2163fa028d6ff5604e50c82779f8e9ca914b2167dd4f62440322

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "sgnlapp.info" or siteurl like "sgnlapp.info" or url like "sgnlapp.info" or domainname like "totokapp.info" or siteurl like "totokapp.info" or url like "totokapp.info" or domainname like "totokupdate.ai" or siteurl like "totokupdate.ai" or url like "totokupdate.ai" or domainname like "spiralkey.co" or siteurl like "spiralkey.co" or url like "spiralkey.co" or domainname like "signal.ct.ws" or siteurl like "signal.ct.ws" or url like "signal.ct.ws" or domainname like "totok-pro.io" or siteurl like "totok-pro.io" or url like "totok-pro.io" or domainname like "app-totok.io" or siteurl like "app-totok.io" or url like "app-totok.io" or domainname like "noblico.net" or siteurl like "noblico.net" or url like "noblico.net" or domainname like "ai-messenger.co" or siteurl like "ai-messenger.co" or url like "ai-messenger.co" or domainname like "store.latestversion.ai" or siteurl like "store.latestversion.ai" or url like "store.latestversion.ai" or domainname like "store.appupdate.ai" or siteurl like "store.appupdate.ai" or url like "store.appupdate.ai" or domainname like "encryption-plug-in-signal.com-ae.net" or siteurl like "encryption-plug-in-signal.com-ae.net" or url like "encryption-plug-in-signal.com-ae.net"

    Detection Query 2 :

    dstipaddress IN ("86.105.18.13","185.7.219.77","152.89.29.73","5.42.221.106","152.89.29.78","185.140.210.66","176.123.7.83","185.27.134.222","185.225.114.70","94.156.128.159","94.156.175.105","103.214.4.135") or srcipaddress IN ("86.105.18.13","185.7.219.77","152.89.29.73","5.42.221.106","152.89.29.78","185.140.210.66","176.123.7.83","185.27.134.222","185.225.114.70","94.156.128.159","94.156.175.105","103.214.4.135")

    Detection Query 3 :

    md5hash IN ("c13a910fe908f0ad961da304a20f1033","fa81ea64592330092893fa785d310e86","75ce04f397c4df2e6970b01d92b013ca","6bf018d5bdd9775cbe72d05a046b0b9c","2592cd3458c6a5c7139f9a3fa0068071","a1684963eb36b976c6e14872e667d1cd","aecfbbbdbdf62aa91ac67a41fcf497f1","817ad9775cb923dad7b14fc41911703b","5231c773b220d88569953847944f30df","7ffb3ffc02824c481e2f4f5d18ae2e4e","4a680eedd23fff5ae36ec8c774b6310a","c6169f902fdc713930d7f38e443271b0")

    Detection Query 4 :

    sha1hash IN ("DE148DDFBF879AB2C12537ECCCDD0541A38A8231","579F9E5DB2BEFCCB61C833B355733C24524457AB","43F4DC193503947CB9449FE1CCA8D3FEB413A52D","B22D58561BB64748F0D2E57B06282D6DAF33CC68","154D67F871FFA19DCE1A7646D5AE4FF00C509EE4","80CA4C48FA831CD52041BB1E353149C052C17481","DB9FE6CC777C68215BB0361139119DAFEE3B3194","BDC16A05BF6B771E6EDB79634483C59FE041D59B","03FE2FCF66F86A75242F6112155134E66BC586CB","CE378AE427E4BD70EAAED204C51811CD74F9A294","7EFEFF53AAEBF4B31BFCC093F2332944C3A6C0F6","FFAAC2FDD9B6F5340D4202227B0B13E09F6ED031")

    Detection Query 5 :

    sha256hash IN ("dc55df39a7824a455690022b373875d3eb7680c1b961efe38d73c7fa2e57d6bc","42f28501f3e6be38c0ce4ff2a5bfa2dfe3c56f99ed81804de54cba3bc26a5025","70a44a185497df02ab80b94ec0731ea361ac54858b064c5f44a72272768a30b1","e18683bc061e888f158c9a3a7478615df2d7daae1952a072d7f549cd1c1e326a","021afbc4c9ae7c4bc7499dd38c9858ba7b717d99596a41dcd5d371c93a52c2b4","4ec51c329e8dab681bc6fb89d8c25021ed2ad9949bd16391a838bde8e56540fd","24e3d017c22fe89c63334a3c7f26b8dafaafaf16830d0ea2f8bc9d6eb42f77cd","a6a6667d99d6d8dced329ce6e77c172a3b6c20cc67b18938b82fa0c1401c47d5","80acf871a81bf657e632dd7699e7bdfa32aba9485a804fd7de39659cd5c21d89","506e9bc94341137bdf835baa7ace980d4c9125583dd6b108d6225a07b09e78bf","72419339f73fc6e62774c70085b75b3440d3268db2baa9946153d0e06445506b","545b228aeb9e2163fa028d6ff5604e50c82779f8e9ca914b2167dd4f62440322")

    Reference:    

    https://www.welivesecurity.com/en/eset-research/new-spyware-campaigns-target-privacy-conscious-android-users-uae/#iocs


    Tags

    MalwarePhishingProSpyToSpyExfiltrationUAEData StealerAndroid MalwareSpywareSignalToTok

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.