Middle East Espionage Attack Uses Fake Secure Messaging Apps to Deliver ProSpy
Hackers are impersonating popular secure messaging apps to deploy a sophisticated Android spyware tool called ProSpy against journalists, activists, and political figures across the Middle East. This hack-for-hire campaign is linked to the BITTER APT group, which has been active since at least 2022.
The operation primarily targets civil society members and potentially government officials in Egypt, Lebanon, Bahrain, the UAE, Saudi Arabia, and the wider MENA region. Attackers initiate contact through platforms like LinkedIn, messaging apps, or email, employing persistent social engineering to pressure victims into clicking malicious links under false pretexts of video calls, urgent documents, or security alerts.
According to joint research by Access Now, Lookout, and SMEX, the campaign relies on sophisticated spearphishing tactics. Fake social media profiles impersonating journalists, support staff, and trusted contacts are frequently used to distribute malicious payloads.
These malicious links either direct victims to credential-phishing pages mimicking services like iCloud, Office 365, or webmail, or lead to fake download pages that silently install the ProSpy spyware as an Android Package Kit (APK) file.
Secure Messaging Apps
ProSpy is an Android spyware family written in Kotlin that impersonates secure or “pro” versions of trusted communication tools, including Signal, ToTok, and Botim. Attackers create deceptive single-page “official-looking” websites that automatically deliver malicious APKs with names like “ToTok Pro,” “Botim Pro,” or “Signal Encryption Plugin.”
These sites use deceptive domains such as totok-pro[.]ai-ae[.]io or botim-app[.]pro, often featuring bilingual (English and Arabic) content and random PHP paths to evade basic security scanning.


Once installed outside official app stores, ProSpy gains broad device permissions and masquerades as a legitimate messaging client. It transforms devices into surveillance sensors, exfiltrating:
- Contacts and communications (SMS/call logs)
- Device information
- Local files (documents, images, audio, video)
- Chat backups (including third-party app archives)
The malware uses a modular “worker” design to automate tasks like scanning recent files, searching backup archives (e.g., .zip, .7z, .toc), and uploading stolen content to command-and-control (C2) servers. Communication typically occurs via REST endpoints like “/v3/images” or “/v3/videos”, with numbered commands triggering specific collection jobs.

Links to BITTER APT and Hack-for-Hire Operations
Lookout’s analysis directly connects this campaign to the South Asia-based BITTER APT group, notorious for long-term espionage operations aligned with regional intelligence interests. Shared infrastructure patterns, worker-class designs, and numbered C2 commands mirror earlier BITTER-linked malware such as Dracarys.

The focus on Middle Eastern civil society and opposition figures suggests a hack-for-hire model, where BITTER operators conduct bespoke espionage contracts.
Despite moderate confidence in attribution, the campaign demonstrates how simple social engineering tactics combined with custom Android malware remain highly effective even against security-conscious targets.