Hackers Use Fake Messaging Apps to Deploy Pro Impersonate Secure

A targeted mobile espionage campaign, active across the Middle East since at least 2022, leverages counterfeit versions of widely trusted secure messaging apps to infect victims’ devices with ProSpy, a potent Android spyware.

Attackers behind this operation crafted their malicious apps to look identical to well-known platforms like Signal, ToTok, and Botim — applications that many journalists, activists, and civil society members rely on daily for sensitive communications.​

The campaign first came into focus in August 2025, when researchers at Access Now’s Digital Security Helpline began investigating a wave of phishing attacks aimed at prominent journalists and opposition politicians in Egypt.

During that investigation, they uncovered Android malware connected to the phishing infrastructure and reached out for support in tracing its origins.

What followed revealed a broader espionage effort touching Egypt, Bahrain, the UAE, Saudi Arabia, Lebanon, and the United Kingdom, with possible reach into the United States as well.​

Lookout Threat Intelligence analysts identified this campaign as a likely hack-for-hire operation with ties to BITTER APT (T-APT-17), a threat actor with suspected connections to the Indian government.

After acquiring 11 ProSpy samples — the earliest dating back to August 2024 — Lookout researchers traced the malware’s infrastructure across multiple command-and-control servers and fake staging websites.

The team assessed with moderate confidence that an organization with ties to BITTER APT, or BITTER itself, was likely contracted by unknown parties to conduct surveillance against civil society targets in the MENA region — marking the first documented instance of BITTER-linked activity targeting civil society in this area.​

ProSpy was first publicly named in October 2025, when ESET published research covering two Android spyware families — ProSpy and ToSpy — both found targeting users in the UAE.

Lookout’s investigation groups both families under the ProSpy label for clarity. The malware is written in Kotlin and follows an object-oriented structure, with individual worker classes each responsible for a specific data collection task.

It harvests contacts, SMS messages, and device details, while also scanning local storage for images, audio, video, documents, and archive files, sending everything silently to attacker-controlled servers.​

How ProSpy Reaches Its Victims

The delivery method follows a deliberate two-stage process. First, attackers build fake social media or messaging personas — sometimes posing as Apple Support on iMessage or operating through professional platforms like LinkedIn — to establish an initial connection with the target.

Once a level of trust is formed, the victim is sent a spearphishing link that, for Android users, leads directly to a fake website hosting a trojanized APK file designed to look like a legitimate messaging app.​

During the investigation, one observed example involved a fake invitation to join a secure video call. Clicking the link redirected the user to a landing page impersonating a ToTok app update, which then automatically started downloading a malicious APK.

The page was available in both English and Arabic, making clear that the attackers were intentionally crafting their lures for an Arabic-speaking audience. Similar staging sites were also built for Signal and Botim, each carefully set up to catch users off guard.​

After installation, ProSpy connects to its command-and-control server using the Retrofit library and accepts up to ten numbered commands, directing it to collect anything from documents and contact lists to SMS messages, images, and video files.​

Civil society members, journalists, and activists in the Middle East should avoid downloading applications from outside official app stores and remain cautious about unexpected links, even from seemingly familiar contacts.

Organizations supporting at-risk individuals should promote the use of mobile threat detection tools and regularly educate users about the dangers of installing apps from unverified sources.

Any unusual app permissions or unexpected device behavior after installing a messaging application should be treated as a red flag and reviewed without delay.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.