Hackers Exploit Secure Messaging Apps to Deploy Advanced Android Spyware Against Middle Eastern Targets
In a troubling development, cybercriminals are leveraging popular secure messaging applications to distribute an advanced Android spyware tool known as ProSpy. This malicious activity appears to be part of a sophisticated hack-for-hire scheme linked to the BITTER Advanced Persistent Threat (APT) group, targeting journalists, activists, and political figures across the Middle East.
This cyber campaign has shown signs of activity since at least 2022 and has primarily focused on civil society members and potentially government officials within several countries, including Egypt, Lebanon, Bahrain, the United Arab Emirates (UAE), Saudi Arabia, and various nations in the broader Middle East and North Africa (MENA) region.
The modus operandi of these attackers typically begins with reaching out to their targets through various online platforms, including LinkedIn, other messaging apps, or email. They apply psychological pressure to coax their targets into clicking on a malicious link, often under false pretenses such as a purported video call, document sharing, or urgent alerts regarding account security.
Joint research conducted by organizations such as Access Now, Lookout, and SMEX highlights that the operation heavily relies on persistent social engineering tactics and customized spear-phishing strategies. Attackers frequently craft fake profiles on social media and messaging platforms, impersonating journalists, support personnel, or trusted contacts to build credibility and facilitate their deceptive campaigns.
The fraudulent links typically lead victims to credential-phishing pages that masquerade as legitimate services like iCloud, Office 365, or webmail. They may also redirect users to counterfeit download pages where the spyware is stealthily installed on Android devices in the form of an APK file.
ProSpy: The Stealthy Android Spyware
ProSpy is classified as a family of spyware designed specifically for Android systems and is notable for masquerading as legitimate, secure versions of widely trusted communication apps such as Signal, ToTok, and Botim. Attackers have created simplistic, single-page websites that mimic the appearance of these applications, enabling automatic distribution of harmful APK files under names like "ToTok Pro," "Botim Pro," and "Signal Encryption Plugin."
These deceptive websites are often hosted on misleading domains such as totok‑pro[.]ai‑ae[.]io or botim‑app[.]pro. They frequently employ both English and Arabic to reach a broader audience, while utilizing random-looking PHP paths to obscure the true nature of their distribution servers and evade detection by basic scanning protocols.
Once the target unwittingly installs the counterfeit application from outside of official app stores, ProSpy is able to gain extensive permissions, allowing it to blend seamlessly into the device’s normal functioning as a messaging client or plugin. Following installation, ProSpy transforms the affected device into a surveillance tool, extracting a variety of sensitive information, including but not limited to contacts, SMS messages, call data, and a wide assortment of local files. This includes documents, images, audio, video, archived files, and even backups of chat conversations.
The spyware utilizes a modular design which allows it to effectively manage and execute various tasks, such as scanning for recently modified files and searching for backup files. Stolen data is then uploaded to command-and-control (C2) servers for further exploitation.
Communication with the C2 infrastructure is facilitated through REST-like endpoints, often appearing under paths like “/v3/images” or “/v3/videos.” The malware routinely polls a "getType"-style endpoint to receive specific commands that dictate its collection efforts. Researchers have identified multiple C2 and staging domains associated with this campaign, such as sg nlapp[.]info, totok‑pro[.]io, and treasuresland[.]cc, which are instrumental in hosting malicious payloads while receiving exfiltrated data.
Association with BITTER APT and Hack-for-Hire Operations
Investigative analyses conducted by cybersecurity researchers have drawn parallels between this cyber-espionage operation and the BITTER APT group, which is known for its espionage missions aligned with regional intelligence objectives based out of South Asia. The overlap in infrastructure, similarities in the worker-class design, and the use of numbered commands for operations echo characteristics seen in previous BITTER-related Android malware campaigns like Dracarys.
However, the focus on civil society members and opposition political figures, rather than solely targeting government entities or other strategic sectors, strongly indicates a shift in approach. This suggests that BITTER or closely associated operators are being contracted to perform specialized espionage operations tailored to specific objectives.
Researchers assess this attribution with moderate confidence, underscoring the fact that relatively straightforward social-engineering schemes, when coupled with custom-built Android spyware, remain exceedingly effective against even those who are security-conscious.
This escalating cyber threat raises significant concerns about the safety of individuals involved in activism, journalism, or political activities in the MENA region, urging a call to action for enhanced cybersecurity awareness and protective measures among vulnerable user groups.