Android users, listen up: if you’ve recently downloaded a messaging app from a source outside the Play Store, you might want to double-check what’s really running on your phone. Two particularly nasty spyware threats are making the rounds, and they’re hiding in plain sight by pretending to be popular communication tools. Here’s what’s going on — and how to protect yourself.

ProSpy and ToSpy are targeting Android devices

The two culprits are named ProSpy and ToSpy, and they’re not your run-of-the-mill malware. These sophisticated tools are designed to collect your personal data, quietly and thoroughly. They mimic legitimate messaging apps — most notably Signal and ToTok — to trick users into installing them.

ToTok, if you remember, was pulled from official app stores back in 2019 after allegations surfaced that it had been used for government surveillance. Now, attackers are exploiting its past popularity to lure in unsuspecting users once again.

Cybersecurity experts at ESET have flagged this wave of attacks, explaining that these malicious apps aren’t available on the Google Play Store or Apple’s App Store. Instead, they’re distributed via fake websites, carefully designed to look like real download pages for Signal or ToTok.

How the spyware sneaks in

Once installed, the fake apps don’t just sit quietly on your home screen. ProSpy and ToSpy request access to sensitive data — contacts, SMS messages, saved files, and even app usage logs. They hoover up this information quickly, sending it straight to the attackers’ servers.

One especially devious trick involves changing the app’s icon after installation. For instance, ProSpy disguises itself as Google Play Services, making it nearly impossible for users to spot or uninstall. Click on the icon, and it opens a legitimate screen from the real Play Services — so you’d never suspect foul play.

ToSpy uses another clever ruse: if the actual ToTok app is already installed on your phone, the fake version launches the real one in the background, keeping up the illusion. If it isn’t? It redirects you to the Huawei AppGallery to download it — again, all designed to cover its tracks.

Why these viruses are so persistent

What makes these threats particularly dangerous is how persistent they are. Even if you try to close the app manually, it will relaunch itself — either automatically at startup or by disguising itself as a crucial background service.

That means the spyware doesn’t just run once and disappear. It continues operating behind the scenes, collecting data without you ever knowing. ESET believes ProSpy attacks began last year, while ToSpy may have been in circulation since 2022. Most targets so far appear to be in the United Arab Emirates, but these tactics could spread fast — and globally.

How to protect yourself

The best defense? Stick to official app stores. While it can be tempting to grab a “pro” version of your favorite messaging app from a quick web search, sideloading apps from unofficial sources is a massive security risk.

Always verify the website you’re using — check the URL, Google the name, and look for signs of legitimacy. If something feels off, trust your gut and don’t download it.

Security professionals also recommend keeping your phone’s OS up to date and enabling Google Play Protect, which helps scan for and block suspicious apps before they can do any harm.

In a world where spyware keeps getting smarter, staying one step ahead means being cautious, not paranoid. Keep your digital doors locked — and think twice before clicking “Download.”