ProSpy Malware Impersonates Secure Apps in Middle East Espionage
Key Takeaways A sophisticated mobile espionage campaign, active since at least 2022, targets individuals across the Middle East. The campaign deploys ProSpy Android spyware via malicious lookalike...
Key Takeaways
- A sophisticated mobile espionage campaign, active since at least 2022, targets individuals across the Middle East.
- The campaign deploys ProSpy Android spyware via malicious lookalike versions of popular secure messaging apps like Signal, ToTok, and Botim.
- Victims, primarily journalists, activists, and opposition figures, are lured through spearphishing links after attackers build trust via fake social media personas.
- Attribution points to BITTER APT (T-APT-17), a group potentially linked to the Indian government, operating as a hack-for-hire entity.
A persistent mobile espionage operation has been observed targeting high-profile individuals across the Middle East since 2022, leveraging highly deceptive counterfeit versions of secure messaging applications to deploy potent Android spyware known as ProSpy.
Table Of Content
The attackers meticulously engineered malicious applications to mimic the appearance and functionality of trusted platforms such as Signal, ToTok, and Botim. These apps are frequently utilized by journalists, human rights activists, and civil society members for confidential communications, making them ideal lures for a sophisticated surveillance campaign.
The full scope of this campaign began to emerge in August 2025, when the Digital Security Helpline at Access Now initiated an investigation into a series of phishing attacks aimed at prominent journalists and political opposition figures in Egypt.
During their initial inquiry, researchers uncovered Android malware associated with the phishing infrastructure and sought external assistance to determine its origins and broader connections.
Subsequent analysis revealed an extensive espionage effort impacting Egypt, Bahrain, the UAE, Saudi Arabia, Lebanon, and the United Kingdom, with potential reach into the United States.
Analysts at Lookout Threat Intelligence identified this campaign as a probable hack-for-hire operation, exhibiting links to BITTER APT (T-APT-17), a threat actor suspected of having ties to the Indian government.
Lookout researchers obtained 11 distinct samples of ProSpy, with the earliest variant dating back to August 2024. Their investigation successfully mapped the malware’s command-and-control infrastructure across multiple servers and identified numerous fake staging websites used in the campaign.
The Lookout team concluded with moderate confidence that an organization affiliated with BITTER APT, or BITTER itself, was likely contracted by undisclosed parties to conduct surveillance against civil society targets within the Middle East and North Africa (MENA) region. This represents the first documented instance of BITTER-linked activity specifically targeting civil society in this geographical area.
ProSpy was initially documented in October 2025, when ESET published research detailing two Android spyware families, ProSpy and ToSpy, both observed targeting users in the UAE. For consistency, Lookout’s investigation consolidates both families under the unified ProSpy designation.
The spyware is developed in Kotlin and employs an object-oriented architecture, where distinct worker classes are assigned specific data collection responsibilities. ProSpy is designed to exfiltrate contacts, SMS messages, and comprehensive device details. It also scans local storage for images, audio, video, documents, and archive files, transmitting all harvested data stealthily to attacker-controlled servers.
How ProSpy Reaches Its Victims
The delivery mechanism for ProSpy involves a carefully orchestrated two-stage process. Initially, attackers establish deceptive social media or messaging personas, sometimes impersonating Apple Support on iMessage or engaging targets via professional platforms like LinkedIn, to build rapport and trust.
Once a sufficient level of trust is established, the victim receives a spearphishing link. For Android users, this link directs them to a fraudulent website hosting a trojanized APK file, which is disguised to appear as a legitimate messaging application.
During the investigation, one notable instance involved a fake invitation to join a secure video call. Clicking the provided link redirected the user to a landing page that mimicked a ToTok app update, which then automatically initiated the download of a malicious APK. This deceptive page was available in both English and Arabic, indicating a deliberate effort by the attackers to target an Arabic-speaking audience. Similar staging sites were also created to impersonate Signal and Botim, each meticulously designed to exploit user trust.
Upon successful installation, ProSpy utilizes the Retrofit library to establish a connection with its command-and-control server. The spyware is capable of executing up to ten distinct numbered commands, enabling it to collect a wide array of data, including documents, contact lists, SMS messages, images, and video files.
What You Should Do
- Avoid Unofficial App Stores: Never download applications from sources other than official app stores like Google Play. Third-party app stores or direct APK downloads are common vectors for malware.
- Exercise Caution with Links: Be highly suspicious of unexpected links, even if they appear to come from known contacts or trusted organizations. Verify the legitimacy of the sender and the link through an alternative communication channel.
- Verify App Permissions: Scrutinize the permissions requested by any new application. If an app requests permissions that seem excessive or unrelated to its stated function (e.g., a messaging app requesting access to your microphone and camera without a specific feature requiring it), consider it a red flag.
- Monitor Device Behavior: Pay attention to unusual device behavior, such as rapid battery drain, excessive data usage, or unexpected app crashes, especially after installing new applications. These could be indicators of spyware activity.
- Enable Mobile Threat Detection: For individuals and organizations at higher risk, implement mobile threat detection (MTD) solutions to proactively identify and block malicious applications and activities.
- Educate Users: Organizations supporting at-risk individuals should regularly conduct cybersecurity awareness training focusing on phishing tactics, social engineering, and the dangers of installing unverified applications.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.