A sophisticated mobile espionage campaign utilizing fake secure messaging apps to distribute potent Android spyware, dubbed ProSpy, has been actively targeting individuals across the Middle East since at least 2022. Attackers are skillfully impersonating legitimate and widely trusted applications such as Signal, ToTok, and Botim, aiming to infect the devices of journalists, activists, and civil society members who rely on these platforms for secure communication.
The operation’s scope widened significantly following an investigation initiated in August 2025 by Access Now’s Digital Security Helpline. Initially looking into phishing attacks aimed at prominent Egyptian journalists and opposition politicians, researchers uncovered Android malware linked to the phishing infrastructure. This discovery led to a broader inquiry, revealing a far-reaching espionage effort that has impacted Egypt, Bahrain, the United Arab Emirates, Saudi Arabia, Lebanon, and the United Kingdom, with potential connections extending to the United States.
Lookout Threat Intelligence analysts have identified this campaign as a probable hack-for-hire operation, possibly linked to BITTER APT (also known as T-APT-17), a threat actor with suspected ties to the Indian government. Their analysis of 11 ProSpy samples, with the earliest dating back to August 2024, traced the malware’s command-and-control infrastructure. Researchers assessed with moderate confidence that an organization affiliated with BITTER APT, or BITTER itself, was likely contracted to conduct surveillance on civil society targets within the MENA region. This marks the first documented instance of BITTER-linked activity specifically targeting civil society in this area.
ProSpy was first publicly detailed in October 2025 by ESET, which reported on two Android spyware families, ProSpy and ToSpy, both found to be targeting users in the UAE. Lookout’s investigation has grouped both families under the ProSpy designation for clarity. The malware, written in Kotlin and employing an object-oriented design, features individual worker classes responsible for discrete data collection tasks. It meticulously harvests contacts, SMS messages, and device information. Furthermore, it scans local storage for images, audio, video, documents, and archive files, silently exfiltrating all collected data to attacker-controlled servers.
How ProSpy Compromises Android Devices
The distribution of ProSpy follows a calculated two-stage approach. Initially, attackers establish contact with their intended targets by creating fake social media or messaging personas. These personas sometimes pose as Apple Support on iMessage or use professional networking platforms like LinkedIn to build initial rapport. Once a degree of trust is established, the victim receives a spearphishing link. For Android users, this link directs them to a malicious website hosting a trojanized APK file, meticulously designed to mimic a legitimate messaging application.
During the investigation, researchers observed a specific instance where a fake invitation to a secure video call led users to a landing page impersonating a ToTok app update. This page then initiated the automatic download of a malicious APK. The landing page, available in both English and Arabic, clearly indicated the attackers’ intention to target an Arabic-speaking audience. Similar deceptive staging sites were also observed for Signal and Botim, each carefully constructed to deceive unsuspecting users.
Upon successful installation, ProSpy establishes communication with its command-and-control server using the Retrofit library. It is capable of executing up to ten distinct commands, enabling it to collect a wide range of sensitive data, including documents, contact lists, SMS messages, images, and video files.
.webp)
Civil society members, journalists, and activists operating in the Middle East are strongly advised to refrain from downloading applications from sources outside of official app stores. It is also crucial to exercise extreme caution regarding unsolicited links, even when they appear to come from trusted contacts. Organizations supporting at-risk individuals should actively promote the use of mobile threat detection tools and consistently educate their user base about the inherent dangers of installing applications from unverified sources. Any unusual requests for app permissions or unexpected device behavior following the installation of a messaging application should be considered a significant red flag requiring immediate investigation.