Skip to content

ProSpy

ProSpy is an Android spyware linked to a hack-for-hire operation with ties to BITTER APT (T-APT-17), a threat actor with suspected connections to the Indian government. First documented by ESET in October 2025 under the names ProSpy and ToSpy, the family was subsequently tied to a broader MENA civil society targeting campaign through joint research by Lookout, Access Now, and SMEX published in April 2026. The campaign targets journalists, opposition politicians, and civil society members in Egypt, Lebanon, Bahrain, UAE, and Saudi Arabia through spearphishing via social media and messaging apps, delivering trojanized versions of secure messaging applications like Signal, ToTok, and Botim.

Overview

Attribute Details
First Seen August 2024 (earliest sample)
Status Active, under active development
Type Spyware
Attribution BITTER APT (T-APT-17), likely hack-for-hire operation with ties to South Asian state-sponsored group
Aliases ProSpy, ToSpy (ESET naming)
Platform Android
Language Kotlin
Lineage Code similarities with Dracarys (BITTER APT, 2022)

Origin and Lineage

Lookout's attribution to BITTER APT rests on several indicators. The distribution domain com-ae[.]net was attributed to BITTER by the Maltrail project based on a JARM hash and infrastructure fingerprint linking it to youtubepremiumapp[.]com, a C2 domain used by Dracarys in 2022. Meta attributed Dracarys to BITTER in their Q2 2022 adversarial threat report.

Code-level similarities between ProSpy and Dracarys include:

Feature Dracarys ProSpy
Language Java Kotlin
Architecture Worker classes for tasks Worker classes for tasks
Commands Numbered C2 commands Numbered C2 commands (0-9)
Endpoints /r3/ prefix /v3/ prefix
Lures Signal, Telegram, Briar Signal, ToTok, Botim
App naming "Pro" and "Premium" suffixes "Pro" suffixes

BITTER APT has targeted Android devices since at least 2014 with various custom malware families. However, this campaign represents the first documented case of BITTER-linked targeting of civil society in the MENA region. Proofpoint and Threatray have published assessments linking BITTER to Indian government interests based on targeting patterns (military, energy, telecom, and MFA entities in China, Pakistan, Bangladesh, Saudi Arabia, and Turkey).

Lookout assesses this is likely a hack-for-hire operation rather than direct BITTER activity, given the unusual victim profile (civil society rather than government/military). Indian hack-for-hire companies like Rebsec (staffed by former Appin and Belltrox employees) have previously targeted the MENA region with credential phishing. BITTER also shares overlap with Bahamut, a known hack-for-hire group: Lookout observed identical custom intent actions in BITTER's BitterDawn malware and Bahamut's Android malware, a pattern found in no other analyzed applications.

Distribution

Two-Stage Social Engineering

The campaign uses persistent social engineering before delivering malware:

  1. Initial contact: Sockpuppet personas reach targets through LinkedIn, social media, or iMessage (impersonating Apple Support)
  2. Spearphishing delivery: Targets are pressured into clicking a link that either captures credentials (iOS) or delivers ProSpy (Android)

iOS targets receive phishing links impersonating iCloud to access device backups and Signal account syncing. Android targets are directed to install ProSpy disguised as a messaging app.

Distribution Infrastructure

ProSpy is distributed through single-page websites mimicking legitimate messaging app download pages. The sites support English and Arabic, and some automatically start downloading the APK on page load.

Domain Lure
totok-pro[.]ai-ae[.]io ToTok (randomized PHP path for obfuscation)
totok-pro[.]ae ToTok
encryption-plug-in-signal[.]com-ae[.]net Signal
botim-app[.]pro Botim
totok-pro[.]io ToTok
join-secure-call[.]ai-ae[.]io Video call invite redirector

The join-secure-call[.]ai-ae[.]io URL uses a two-stage redirect: the initial URL pretends to be a video call invite, then redirects to a randomized PHP endpoint (/ca9bCVSI.php) that serves the distribution page. Visiting the main domain without the PHP path returns a mostly empty page with "Loading..." text.

Signal QR Code Phishing

The campaign also targets Signal's linked device feature. Victims are presented with a Signal Link Device QR code with Arabic-language instructions. Scanning it links the attacker's device to the victim's Signal account, giving persistent access to all Signal content. This technique was popularized by Russian APTs and is particularly effective against privacy-conscious targets who rely on E2EE messaging.

Capabilities

ProSpy is developed in Kotlin with worker classes handling data collection and exfiltration. Workers can be periodically scheduled or triggered on demand via C2 commands.

C2 Commands

Command Name Function
0 DOCS Scan and exfiltrate document files (Word, Excel, PowerPoint, PDF, JavaScript)
1 NEWFILES Check for recently modified files by modification date
2 BACKUP Search for backup files ("backup" and "ttkmbackup" in filenames)
3 ARS Search for archive files (zip, rar, tar, 7z, jar, apk, json)
4 OTHERS Search for files not matching other MIME types
5 IMAGES Search for image files
6 AUDIOS Search for audio files
7 VIDEOS Search for video files
8 SMS Collect and exfiltrate SMS messages
9 CONTACTS Collect and exfiltrate phone contacts

File Exfiltration

ProSpy traverses internal and external storage, filtering files by MIME type. Document types include MS Office formats, PDF, and JavaScript. Archive types include zip, rar, tar, 7z, jar, APK, and JSON.

The BACKUP worker specifically targets third-party app backup files, including ToTok backup files (.ttkmbackup extension). The NEWFILES worker is a newer addition that exfiltrates only recently modified files based on modification timestamp, reducing noise and focusing on active content.

Data Collection

Contacts, SMS messages, and device information are collected and exfiltrated as JSON. Device hardware and software information is fingerprinted on registration.

C2 Infrastructure

ProSpy uses the Retrofit library for HTTP communication. All endpoints use the /v3/ prefix.

Endpoint Purpose
/v3/getType Poll for new commands
/v3/setEvent Report events and errors
/v3/setStatus Report status and debug messages
/v3/images Upload image files
/v3/videos Upload video files
(additional /v3/ endpoints per file type) Per-type exfiltration

C2 Domains

Domain Purpose
sgnlapp[.]info C2
treasuresland[.]cc C2
relaxmode[.]org C2
track-portal[.]co C2
totokapp[.]info C2
totok-pro[.]io C2
clubline[.]cc C2
regularsports[.]org C2

Phishing Infrastructure

The phishing infrastructure is extensive, with hundreds of domains active since at least 2023. First-level domains remain active for months, with subdomains created on the fly for targeted attacks against specific victims.

Two domain patterns dominate:

  1. Subdomain as lure: The subdomain impersonates the service (e.g., Zoom), while the first-level domain uses two digraphs potentially indicating region and language
  2. Combined lure: The service name spans the subdomain and domain boundary (e.g., "information" split across subdomain ending and domain beginning)

Targeted Services

The phishing campaign impersonates a broad range of services:

Category Services
Communication Zoom, Microsoft Teams, Signal, ToTok, Botim, Telegram, WhatsApp, FaceTime, Haven
Email Microsoft Office 365, Live Webmail, Yahoo, Hotmail, Google
Cloud Google Drive, Apple iCloud, Apple iTunes, Google Play
Government Bahrain MOFA, Bahrain National Communication Center, Bahrain PM's Office, Bahrain Defence Force, Egypt Ministry of Finance, Information & eGovernment Authority (Bahrain)
Media Reuters, The Guardian, Jerusalem Post, "Gaza Report"
Other T-Mobile, CITI, Chase, DHL, Columbia University, Temple University, Nottingham Events, Sky Security

Target Regions and Victims

Region Target Profile
Egypt Journalists, opposition politicians, civil society
Lebanon Civil society members
Bahrain Government entities (MOFA, Defence Force, PM's Office, NCC), civil society
UAE Civil society, ProSpy lure region
Saudi Arabia Potential targets based on infrastructure
United Kingdom Potential targets based on infrastructure
United States Potential targets (university alumni lures)

Access Now's Digital Security Helpline initiated the investigation after being contacted about phishing attacks targeting Egyptian journalists and politicians in August 2025.

IOCs

File Hashes (SHA-1)

SHA-1 App Name Package Name Date
92dd37a709cbc7379e2804fe63d61a7d9846f934 Botim Pro com.chatbot.botim 2026-03-15
bebd8af44329037c34c1d5812ada26bc2230f50d ToTok Pro com.chat.connect 2026-02-19
af7ab9213eaa20a6b1a4fb5be6e6b2e56160c746 Botim Pro the.messenger.bot 2026-02-05
8152b06537853e90103ed956653e446453e80293 ToTok Pro al.totok.chat 2025-11-17
50c7cab6221b24636f0d053679b843a194d8f4a1 Signal Encryption Plugin org.thoghtcrime.securesms 2025-10-02
38174544c6d6e127bbfee0bab031c2370e0a1bec Signal Encryption Plugin org.thoghtcrime.securesms 2025-09-28
ae60794c6f1d4893a20009437ebf96d790985a7c ToTok Pro al.totok.chat 2025-08-26
02ee423f1cd1a123169ef1e4e7d40dbb2139d86b Botim Pro im.thebot.mesenger 2025-08-17
6339add91eb118831571e30801a28a40b2c304a0 ToTok Pro ae.totok.chat 2025-08-14
154d67f871ffa19dce1a7646d5ae4ff00c509ee4 Signal Encryption Plugin org.thoghtcrime.securesms 2025-06-16
26fa78ccf9dbe970a4bc2911592ec99db809ffe5 Signal Encryption Plugin org.thoghtcrime.securesms 2025-05-06
43f4dc193503947cb9449fe1cca8d3feb413a52d ToTok Pro ae.totok.chat 2024-12-28
ffaac2fdd9b6f5340d4202227b0b13e09f6ed031 ToTok Pro ae.totok.chat 2024-08-07
579f9e5db2befccb61c833b355733c24524457ab ToTok Pro ae.totok.chat 2024-08-07

Dracarys (BITTER APT, 2022): Java-based predecessor attributed to BITTER by Meta. Shared worker-class architecture, numbered commands, and messaging app lures. Used /r3/ endpoint prefix vs ProSpy's /v3/. C2 domain youtubepremiumapp[.]com links to ProSpy infrastructure via JARM fingerprinting.

BitterDawn (BITTER APT): Earlier BITTER Android malware sharing custom intent actions with Bahamut's Android tools, suggesting potential resource overlap between BITTER and hack-for-hire operations.

References