Hackers Impersonate Secure Messaging Apps to Deploy ProSpy in Middle East Espionage Attacks

Home Cyber Security News Hackers Impersonate Secure Messaging Apps to Deploy ProSpy in Middle East Espionage... A targeted mobile espionage campaign has been quietly operating across the Middle East since at least 2022, using fake versions of widely trusted secure messaging apps to plant a powerful Android spyware named ProSpy on victims’ devices. Attackers behind this operation crafted their malicious apps to look identical to well-known platforms like Signal, ToTok, and Botim — applications that many journalists, activists, and civil society members rely on daily for sensitive communications.​ The campaign first came into focus in August 2025, when researchers at Access Now’s Digital Security Helpline began investigating a wave of phishing attacks aimed at prominent journalists and opposition politicians in Egypt. During that investigation, they uncovered Android malware connected to the phishing infrastructure and reached out for support in tracing its origins. What followed revealed a broader espionage effort touching Egypt, Bahrain, the UAE, Saudi Arabia, Lebanon, and the United Kingdom, with possible reach into the United States as well.​ Lookout Threat Intelligence analysts identified this campaign as a likely hack-for-hire operation with ties to BITTER APT (T-APT-17), a threat actor with suspected connections to the Indian government. After acquiring 11 ProSpy samples — the earliest dating back to August 2024 — Lookout researchers traced the malware’s infrastructure across multiple command-and-control servers and fake staging websites. The team assessed with moderate confidence that an organization with ties to BITTER APT, or BITTER itself, was likely contracted by unknown parties to conduct surveillance against civil society targets in the MENA region — marking the first documented instance of BITTER-linked activity targeting civil society in this area.​ ProSpy was first publicly named in October 2025, when ESET published research covering two Android spyware families — ProSpy and ToSpy — both found targeting users in the UAE. Lookout’s investigation groups both families under the ProSpy label for clarity. The malware is written in Kotlin and follows an object-oriented structure, with individual worker classes each responsible for a specific data collection task. It harvests contacts, SMS messages, and device details, while also scanning local storage for images, audio, video, documents, and archive files, sending everything silently to attacker-controlled servers.​ How ProSpy Reaches Its Victims The delivery method follows a deliberate two-stage process. First, attackers build fake social media or messaging personas — sometimes posing as Apple Support on iMessage or operating through professional platforms like LinkedIn — to establish an initial connection with the target. Once a level of trust is formed, the victim is sent a spearphishing link that, for Android users, leads directly to a fake website hosting a trojanized APK file designed to look like a legitimate messaging app.​ ProSpy distribution site with ToTok application lure (Source – Lookout) During the investigation, one observed example involved a fake invitation to join a secure video call. Clicking the link redirected the user to a landing page impersonating a ToTok app update, which then automatically started downloading a malicious APK. The page was available in both English and Arabic, making clear that the attackers were intentionally crafting their lures for an Arabic-speaking audience. Similar staging sites were also built for Signal and Botim, each carefully set up to catch users off guard.​ After installation, ProSpy connects to its command-and-control server using the Retrofit library and accepts up to ten numbered commands, directing it to collect anything from documents and contact lists to SMS messages, images, and video files.​ List of C2 commands for the latest ProSpy variant (Source – Lookout) Civil society members, journalists, and activists in the Middle East should avoid downloading applications from outside official app stores and remain cautious about unexpected links, even from seemingly familiar contacts. Organizations supporting at-risk individuals should promote the use of mobile threat detection tools and regularly educate users about the dangers of installing apps from unverified sources. Any unusual app permissions or unexpected device behavior after installing a messaging application should be treated as a red flag and reviewed without delay. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security AI Router Vulnerabilities Allow Attackers to Inject Malicious Code and Steal Sensitive Data Cyber Security News Hackers Abuse GitHub and GitLab to Host Malware and Credential Phishing Campaigns Cyber Security News MuddyWater Turns to Russian Malware-as-a-Service in New ChainShell Campaign Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026