Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/ProSpy Malware Impersonates Secure Apps in Middle East Espionage
Threats

ProSpy Malware Impersonates Secure Apps in Middle East Espionage

Key Takeaways A sophisticated mobile espionage campaign, active since at least 2022, targets individuals across the Middle East. The campaign deploys ProSpy Android spyware via malicious lookalike...

Jennifer sherman
Jennifer sherman
April 10, 2026 4 Min Read
33 0

Key Takeaways

  • A sophisticated mobile espionage campaign, active since at least 2022, targets individuals across the Middle East.
  • The campaign deploys ProSpy Android spyware via malicious lookalike versions of popular secure messaging apps like Signal, ToTok, and Botim.
  • Victims, primarily journalists, activists, and opposition figures, are lured through spearphishing links after attackers build trust via fake social media personas.
  • Attribution points to BITTER APT (T-APT-17), a group potentially linked to the Indian government, operating as a hack-for-hire entity.

A persistent mobile espionage operation has been observed targeting high-profile individuals across the Middle East since 2022, leveraging highly deceptive counterfeit versions of secure messaging applications to deploy potent Android spyware known as ProSpy.

Table Of Content

  • Key Takeaways
  • How ProSpy Reaches Its Victims
  • What You Should Do

The attackers meticulously engineered malicious applications to mimic the appearance and functionality of trusted platforms such as Signal, ToTok, and Botim. These apps are frequently utilized by journalists, human rights activists, and civil society members for confidential communications, making them ideal lures for a sophisticated surveillance campaign.

The full scope of this campaign began to emerge in August 2025, when the Digital Security Helpline at Access Now initiated an investigation into a series of phishing attacks aimed at prominent journalists and political opposition figures in Egypt.

During their initial inquiry, researchers uncovered Android malware associated with the phishing infrastructure and sought external assistance to determine its origins and broader connections.

Subsequent analysis revealed an extensive espionage effort impacting Egypt, Bahrain, the UAE, Saudi Arabia, Lebanon, and the United Kingdom, with potential reach into the United States.

Analysts at Lookout Threat Intelligence identified this campaign as a probable hack-for-hire operation, exhibiting links to BITTER APT (T-APT-17), a threat actor suspected of having ties to the Indian government.

Lookout researchers obtained 11 distinct samples of ProSpy, with the earliest variant dating back to August 2024. Their investigation successfully mapped the malware’s command-and-control infrastructure across multiple servers and identified numerous fake staging websites used in the campaign.

The Lookout team concluded with moderate confidence that an organization affiliated with BITTER APT, or BITTER itself, was likely contracted by undisclosed parties to conduct surveillance against civil society targets within the Middle East and North Africa (MENA) region. This represents the first documented instance of BITTER-linked activity specifically targeting civil society in this geographical area.

ProSpy was initially documented in October 2025, when ESET published research detailing two Android spyware families, ProSpy and ToSpy, both observed targeting users in the UAE. For consistency, Lookout’s investigation consolidates both families under the unified ProSpy designation.

The spyware is developed in Kotlin and employs an object-oriented architecture, where distinct worker classes are assigned specific data collection responsibilities. ProSpy is designed to exfiltrate contacts, SMS messages, and comprehensive device details. It also scans local storage for images, audio, video, documents, and archive files, transmitting all harvested data stealthily to attacker-controlled servers.

How ProSpy Reaches Its Victims

The delivery mechanism for ProSpy involves a carefully orchestrated two-stage process. Initially, attackers establish deceptive social media or messaging personas, sometimes impersonating Apple Support on iMessage or engaging targets via professional platforms like LinkedIn, to build rapport and trust.

Once a sufficient level of trust is established, the victim receives a spearphishing link. For Android users, this link directs them to a fraudulent website hosting a trojanized APK file, which is disguised to appear as a legitimate messaging application.

During the investigation, one notable instance involved a fake invitation to join a secure video call. Clicking the provided link redirected the user to a landing page that mimicked a ToTok app update, which then automatically initiated the download of a malicious APK. This deceptive page was available in both English and Arabic, indicating a deliberate effort by the attackers to target an Arabic-speaking audience. Similar staging sites were also created to impersonate Signal and Botim, each meticulously designed to exploit user trust.

Upon successful installation, ProSpy utilizes the Retrofit library to establish a connection with its command-and-control server. The spyware is capable of executing up to ten distinct numbered commands, enabling it to collect a wide array of data, including documents, contact lists, SMS messages, images, and video files.

What You Should Do

  • Avoid Unofficial App Stores: Never download applications from sources other than official app stores like Google Play. Third-party app stores or direct APK downloads are common vectors for malware.
  • Exercise Caution with Links: Be highly suspicious of unexpected links, even if they appear to come from known contacts or trusted organizations. Verify the legitimacy of the sender and the link through an alternative communication channel.
  • Verify App Permissions: Scrutinize the permissions requested by any new application. If an app requests permissions that seem excessive or unrelated to its stated function (e.g., a messaging app requesting access to your microphone and camera without a specific feature requiring it), consider it a red flag.
  • Monitor Device Behavior: Pay attention to unusual device behavior, such as rapid battery drain, excessive data usage, or unexpected app crashes, especially after installing new applications. These could be indicators of spyware activity.
  • Enable Mobile Threat Detection: For individuals and organizations at higher risk, implement mobile threat detection (MTD) solutions to proactively identify and block malicious applications and activities.
  • Educate Users: Organizations supporting at-risk individuals should regularly conduct cybersecurity awareness training focusing on phishing tactics, social engineering, and the dangers of installing unverified applications.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwarephishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Vulnerabilities in ASUS Routers Allow Remote Code Execution

Next Post

Critical Flaw in GitHub Copilot Exposes Sensitive Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us