ProSpy Spyware Spread: Signal, Google & Zoom Lures by BITTER APT

Breaking / Leave a Comment

Article-At-A-Glance

  • ProSpy spyware is an Android-based surveillance tool linked to the South Asian threat group BITTER APT (also known as T-APT-17 and APT-Q-37), actively targeting journalists and civil society in the MENA region.
  • BITTER APT spreads ProSpy by disguising it as trusted apps like Signal, ToTok, and Botim — tricking victims into installing spyware they believe is a legitimate secure messaging tool.
  • Once installed, ProSpy can silently steal contacts, SMS messages, photos, audio files, and sensitive documents from an infected Android device.
  • Cybersecurity firm Lookout has assessed this campaign as a likely hack-for-hire operation, marking the first documented case of BITTER targeting civil society in Egypt, Lebanon, Bahrain, and the UAE.
  • Keep reading to understand exactly how the Signal QR code trick works — and why it’s one of the most deceptive tactics in this campaign.

BITTER APT Is Targeting Journalists and Civil Society With ProSpy Spyware

Spyware doesn’t just go after governments anymore — and ProSpy is the proof.

Cybersecurity researchers at Lookout have uncovered an active mobile surveillance campaign using a newly identified Android spyware called ProSpy. The campaign uses fake versions of widely trusted applications — including Signal, Google Drive, Zoom, and Botim — to trick targets into installing malware that silently harvests sensitive data from their devices. What makes this campaign especially alarming is who is being targeted: journalists, activists, and civil society members across the Middle East and North Africa (MENA) region.

This is not a spray-and-pray phishing operation. Every element of this campaign, from the lures to the infrastructure, shows careful planning and a deep understanding of how high-value targets think and behave online. Understanding how ProSpy spreads, what it does, and who is behind it is one of the most important steps you can take to protect yourself or your organization from this threat.

Who Is BITTER APT?

BITTER APT is a state-aligned advanced persistent threat group believed to originate from South Asia. Researchers track it under multiple names, including T-APT-17 and APT-Q-37, and Lookout has directly linked the ProSpy campaign to this group based on code similarities and shared web infrastructure.

Active Since 2013: A South Asian Threat Group

BITTER has been operating since at least 2013, giving it well over a decade of experience in cyber espionage. Over the years, it has refined its techniques and expanded its toolset significantly, demonstrating a consistent ability to adapt its tactics to bypass security defenses.

Typical Targets: Military, Government, and Energy Sectors

Historically, BITTER’s operations have been concentrated in intelligence-gathering campaigns targeting the following sectors:

  • Military organizations across South and East Asia
  • Government agencies aligned with regional political rivalries
  • Energy sector companies, particularly those tied to national infrastructure
  • Telecommunications firms with access to sensitive communications data

This focus makes sense for a group whose activities broadly align with regional intelligence interests. BITTER’s campaigns have typically served geopolitical objectives, gathering data that could give state-level actors a strategic advantage. Its consistent targeting of secure communication channels, military operations, and energy infrastructure reveals a threat actor with long-term intelligence collection as its primary goal.

Why Targeting Civil Society Is a New and Alarming Shift

The ProSpy campaign is the first documented case of BITTER directly targeting civil society — specifically journalists, human rights advocates, and activists in Egypt, Lebanon, Bahrain, and the UAE. This is a meaningful escalation. When spyware campaigns move from targeting government officials to targeting journalists and activists, it signals that whoever is commissioning these attacks wants to suppress information and monitor dissent, not just gather military intelligence.

How the ProSpy Attack Works: A Two-Stage Approach

This campaign doesn’t rely on a single trick. It uses a layered approach where victims are contacted, manipulated, and then infected — often without ever suspecting anything went wrong.

The attack chain is built on social engineering first and malware delivery second. Attackers invest time in making their approach feel legitimate before they ever send a malicious link or file. That investment is what makes this campaign so effective against security-conscious targets — people who would normally spot a generic phishing email without hesitation.

Stage 1: Spearphishing via LinkedIn and iMessage

Initial contact with targets is made through LinkedIn messages and iMessage. Attackers pose as credible contacts — journalists, researchers, or professional connections — and build enough rapport to get the target to engage. This spearphishing approach is highly targeted, meaning each message is crafted specifically for the individual recipient rather than sent in bulk. To understand more about how attackers exploit such vulnerabilities, see the Storm 2561 spoofed VPN sites incident.

Stage 2: Fake Login Pages for Zoom, Google Drive, and Microsoft Teams

Once initial contact is established, victims are directed to convincing fake login pages that mimic Zoom, Google Drive, and Microsoft Teams. These pages are designed to capture credentials or push the download of a trojanized application. The use of well-known enterprise platforms as lures is deliberate — these are tools that journalists and civil society workers use every day, so a request to log in or download an update raises far fewer red flags than an unknown application would.

How the Signal QR Code Trick Hands Over Your Private Messages

One of the most sophisticated tactics in this campaign involves Signal’s legitimate “Linked Devices” feature. Signal allows users to link their account to additional devices by scanning a QR code. BITTER APT exploits this by sending victims a malicious QR code disguised as a Signal account verification or security check. When the victim scans it, they unknowingly link their Signal account to a device controlled by the attacker.

From that point forward, every message sent and received on the victim’s Signal account is mirrored in real-time to the attacker’s device. The victim sees no warning, no notification, and no sign that anything has changed. Their encrypted messages — the ones they trusted Signal to protect — are now being read by someone else.

This attack works because it exploits a legitimate feature, not a vulnerability. Signal’s Linked Devices function is working exactly as designed — the attacker has simply tricked the user into authorizing access themselves. That’s what makes it so dangerous and so hard to detect after the fact.

  • No malware is required for the QR code trick to succeed — just a moment of inattention
  • The victim’s existing messages may also be exposed, depending on message history settings
  • The attacker’s linked device remains active until the victim manually checks and removes it in Signal settings
  • There is no alert sent to the victim’s phone when a new device is linked

If you use Signal, right now is a good time to open the app, go to Settings, select Linked Devices, and verify that every device listed is one you personally authorized.

What ProSpy Spyware Does Once It Is on Your Device

Photos, Videos, Audio, and Documents It Can Steal

Once ProSpy is installed on an Android device, it operates silently in the background, systematically harvesting data and sending it back to attacker-controlled servers. The scope of what it can access is extensive.

ProSpy is built to exfiltrate a wide range of sensitive data categories, including:

  • Contact lists — full names, phone numbers, and associated account data
  • SMS messages — both sent and received, including two-factor authentication codes
  • Photos and videos stored locally on the device
  • Audio recordings — including the ability to activate the microphone
  • Device hardware and software information — model, OS version, installed apps
  • Local files of interest — documents, downloads, and application-specific data

For a journalist with source communications stored on their phone, or an activist with sensitive organizational documents, this level of access is catastrophic. The attacker doesn’t just see what you’re doing now — they can reconstruct your network of contacts, your past communications, and your ongoing work.

How ProSpy Hides Inside Fake “Pro” Versions of Secure Apps

ProSpy gets its name from how it disguises itself. It masquerades as enhanced or “pro” versions of legitimate applications, particularly privacy-focused messaging tools like Signal, ToTok, and Botim. Victims are led to believe they are downloading an upgraded or region-specific version of an app they already trust. The fake app looks and functions like the real thing — it may even connect to the legitimate service in the background — while simultaneously running spyware functions the user never consented to and cannot see.

Why ProSpy Is Considered Professionally Developed Malware

ProSpy isn’t a crude remote access trojan thrown together quickly. Lookout’s analysis describes it as a professionally developed piece of surveillance software, and the evidence supports that assessment. For more information on recent cybersecurity threats, you can explore the emergency patch for FortiClient EMS flaw which has been exploited in attacks.

The malware uses a structured, numbered command system to receive instructions from its command-and-control (C2) infrastructure. This architecture — using discrete numbered commands to trigger specific functions — is a hallmark of organized, maintainable malware development. It’s the kind of code design that allows a development team to update, expand, and debug the malware efficiently over time, not something a lone actor builds for a one-off campaign. This method of operation is similar to how Storm 2561 has been known to execute its cyber activities.

Furthermore, the web infrastructure supporting ProSpy’s distribution was professionally managed, with dedicated domains set up specifically to host trojanized apps and phishing pages. The domain com-ae[.]net, used to distribute ProSpy, was independently identified by the Maltrail project as being tied to BITTER APT — corroborating Lookout’s attribution through a completely separate investigative thread.

ProSpy vs. ToSpy: How the Two Spyware Families Are Linked

ProSpy is not the only malware tool discovered in this campaign. Researchers also identified a related spyware family called ToSpy, which was distributed alongside ProSpy using some of the same infrastructure and lures. While the two are distinct malware families, their connection reveals something important about how BITTER APT structures and manages its toolset.

Shared Code Structure and Numbered Command Logic

Both ProSpy and ToSpy use the same numbered command logic in their code architecture. This means both tools receive instructions from their C2 servers using a shared command framework — a strong technical indicator that they were developed by the same team or from the same codebase. When two separate malware families share this kind of structural DNA, it points to an organized development operation rather than independent creation. It also means that defenders who understand how one tool works gain immediate insight into how the other behaves.

Connection to Dracarys Malware From 2022

The link between ProSpy and BITTER APT’s history goes back further than ToSpy. Lookout’s researchers identified significant code similarities between ProSpy and Dracarys, an Android spyware that BITTER APT deployed in 2022. Dracarys was previously documented by Meta’s security team as part of a Facebook-based social engineering campaign. The shared code patterns — particularly the numbered command structure — between Dracarys and ProSpy provided researchers with one of the strongest pieces of evidence linking this entire campaign to BITTER. Malware authors, like all software developers, carry their coding habits and architectural preferences from one project to the next, and those habits leave a traceable fingerprint.

Is This a Hack-for-Hire Operation?

Lookout’s assessment is direct: this campaign has the hallmarks of a hack-for-hire operation. While BITTER APT has historically focused on targets that align with South Asian regional intelligence interests — particularly military and government targets — the victims in this campaign are journalists and civil society members in Egypt, Lebanon, Bahrain, and the UAE. That geographic and demographic shift suggests that BITTER, or a group with close ties to BITTER, was likely contracted by an external party to conduct surveillance on behalf of unknown clients. This is the first documented case of BITTER-linked activity targeting civil society in the MENA region, and it represents a significant expansion of what this group — or its clients — is willing to do. The line between state-sponsored espionage and commercial surveillance-for-hire is increasingly blurry, and ProSpy sits right at that intersection.

How To Protect Yourself From ProSpy and Similar Spyware

The tactics used in this campaign are sophisticated, but they are not unstoppable. Every stage of the ProSpy attack chain — from the initial spearphishing contact to the final malware installation — requires the victim to take an action. That means awareness and deliberate habits are your most effective defenses.

1. Never Scan Unexpected QR Codes Linked to Messaging Apps

The Signal QR code attack works because most people don’t think twice about scanning a QR code sent by someone who seems legitimate. From now on, treat any QR code that claims to be related to account verification, app linking, or security confirmation with immediate suspicion — especially if it arrives unsolicited via LinkedIn, iMessage, or email. For more on how cyber threats are evolving, see this 7-stage phishing campaign targeting cybersecurity firms.

Signal’s Linked Devices feature is the specific mechanism being exploited here. Open Signal right now, navigate to Settings > Linked Devices, and audit every device on that list. If you see anything you don’t recognize, remove it immediately. Make this a monthly habit, the same way you’d check your bank account for unauthorized transactions.

2. Verify App Sources Before Downloading Anything

ProSpy spreads through trojanized apps distributed outside of official app stores. The single most effective technical control against this attack vector is a simple rule: only install apps from the Google Play Store or Apple App Store, and never sideload an APK file sent to you through a messaging platform, regardless of how trustworthy the sender appears.

If someone contacts you with a link to a “special,” “enhanced,” or “region-specific” version of an app you already use — particularly a secure messaging app — that is an immediate red flag. Legitimate apps do not need to be distributed through unofficial channels. Verify directly with the app’s official website or support team before taking any action, and if in doubt, don’t install it.

3. Be Suspicious of Unsolicited LinkedIn and iMessage Contacts

BITTER APT’s entry point into this campaign is social engineering, and LinkedIn is one of its preferred hunting grounds. The attacker doesn’t send a suspicious link in the first message — they build a connection first, mirroring how a legitimate professional contact would behave. By the time a malicious link or QR code is sent, the victim has already developed a degree of trust with the attacker.

Apply a simple rule to any unsolicited contact on LinkedIn or iMessage: if someone you don’t know personally reaches out and eventually asks you to download something, click a link, or scan a QR code, pause before you act. Independently verify who they are through a separate channel — look them up on the organization’s official website, call a known colleague, or search for their profile through a completely different platform. Real professional contacts will not be offended by verification. Attackers rely on the fact that most people won’t bother.

This is especially critical for journalists, human rights workers, researchers, and activists — the exact demographics being targeted in the ProSpy campaign. If your work involves sensitive sources, confidential communications, or documenting politically sensitive events, you are a higher-value target than the average user, and you should treat unsolicited outreach with proportionally greater scrutiny. For example, recent incidents like the AstraZeneca data breach highlight the importance of vigilance in protecting sensitive information.

4. Keep Your Device and Apps Updated

While the primary infection vector in this campaign is social engineering rather than software exploits, keeping your Android device and all installed applications fully updated remains a non-negotiable baseline defense. Security patches close known vulnerabilities that secondary malware payloads — including those dropped by spyware like ProSpy — may attempt to exploit once they gain initial access to your device. An out-of-date device gives attackers more options after the initial infection, not fewer. For example, an emergency patch for FortiClient EMS was released to address flaws that attackers were actively exploiting.

Enable automatic updates for both your operating system and your applications. For Android users, check Settings > Security > Google Play Protect and ensure it is active and running regular scans. Google Play Protect won’t catch every threat — it did not catch the trojanized apps in this campaign, which were distributed outside the Play Store — but it adds a meaningful layer of automated detection for known malicious behavior. For more insights on recent cybersecurity threats, you can read about the Storm 2561 campaign that targeted corporate logins.

5. Use a Mobile Threat Defense Tool

Consumer antivirus tools offer limited protection against professionally developed spyware like ProSpy, but purpose-built mobile threat defense (MTD) solutions provide substantially more capability. Tools in this category monitor device behavior in real time, flag anomalous network traffic to suspicious C2 servers, and can detect when an app is behaving in ways inconsistent with its stated function — exactly the kind of activity ProSpy exhibits. For journalists, NGO workers, and activists operating in high-risk environments, deploying an MTD solution on your primary mobile device is no longer optional — it is a practical necessity. In fact, the European Commission’s recent cyberattack highlights the importance of robust security measures.

ProSpy Is a Reminder That Spyware Targets Real People, Not Just Governments

The ProSpy campaign changes the conversation about who needs to take mobile spyware seriously. For years, the dominant narrative around advanced spyware — tools like Pegasus — centered on heads of state, cabinet ministers, and defense officials. ProSpy, deployed against journalists and civil society members through fake Signal updates and LinkedIn messages, makes clear that the threat has broadened significantly. If your work involves sensitive information, protected sources, or any activity that a government or well-funded private entity might want to monitor, your phone is a target. The sophistication of the attacker doesn’t reduce that risk — it increases it. Knowing how these campaigns work is the first and most important step in making yourself a harder target.

Frequently Asked Questions

The ProSpy campaign raises urgent questions about mobile security, attribution, and what everyday users — especially those in high-risk professions — can do to protect themselves. The following answers draw directly from Lookout’s research and the technical details uncovered in this investigation.

Understanding the specifics of how ProSpy operates, who is behind it, and how it compares to other surveillance tools helps cut through the noise and gives you actionable context rather than vague warnings.

What is ProSpy spyware and who created it?

ProSpy is an Android spyware tool discovered by Lookout researchers as part of an active surveillance campaign targeting civil society in the MENA region. It masquerades as legitimate applications — primarily secure messaging apps like Signal, ToTok, and Botim — and silently exfiltrates sensitive data including contacts, SMS messages, photos, audio, and device information once installed. The campaign has drawn parallels to other cyberattacks in the region, such as the Iran-targeted wiper attacks deployed by TeamPCP.

Lookout has attributed ProSpy to BITTER APT, a South Asian threat group also tracked as T-APT-17 and APT-Q-37, based on shared code architecture with BITTER’s 2022 Dracarys malware and overlapping web infrastructure used to distribute the spyware. The campaign is assessed as a likely hack-for-hire operation, with BITTER or a closely affiliated group contracted by unknown external clients. Learn more about similar cyber threats, such as the Storm-2561 spoofed VPN sites that harvest corporate logins and credentials.

How does BITTER APT use Signal to spread ProSpy?

BITTER APT exploits Signal’s legitimate Linked Devices feature by sending targets a malicious QR code disguised as a security verification or account setup step. When the victim scans the code, they unknowingly authorize the attacker’s device to be linked to their Signal account, giving the attacker real-time access to all messages sent and received going forward.

In a separate but related attack vector, BITTER also distributes a trojanized version of Signal — a fake APK that looks and partially functions like the real app but runs ProSpy spyware silently in the background. Both methods rely on the target’s trust in Signal as a secure platform, turning that trust into the attack’s primary weapon. For more information on similar tactics, you can read about how spoofed VPN sites harvest corporate logins.

Can ProSpy steal messages from encrypted apps like Signal?

Yes — but not by breaking Signal’s encryption. ProSpy and the associated QR code attack bypass encryption entirely by accessing messages either before they are encrypted (directly on the device) or by linking a secondary device to the victim’s account so that messages are delivered in plaintext to the attacker in real time. Encryption protects data in transit between devices; it does not protect against malware that has already gained access to the device itself, or against account-linking attacks that grant legitimate access through a compromised authorization step.

Who are the main targets of the BITTER APT ProSpy campaign?

Lookout’s investigation identified journalists, human rights workers, activists, and civil society members in Egypt, Lebanon, Bahrain, and the UAE as the primary targets of the ProSpy campaign. This marks the first documented instance of BITTER APT targeting civil society in the MENA region, representing a significant and concerning departure from the group’s historical focus on military, government, and energy sector targets.

How is ProSpy different from commercial spyware like Pegasus?

Pegasus, developed by the NSO Group, is a commercial surveillance product sold exclusively to government clients and is capable of zero-click exploitation — meaning it can compromise a device without any action from the victim. ProSpy, by contrast, requires the target to be socially engineered into installing a trojanized app or scanning a malicious QR code. In that sense, ProSpy depends on human interaction where Pegasus does not.

However, this distinction does not make ProSpy less dangerous in practice. The social engineering tactics used to deliver ProSpy — spearphishing through LinkedIn and iMessage, fake enterprise app login pages, and Signal lures — are highly convincing and have successfully compromised security-conscious targets. The bar for interacting with a well-crafted fake Signal update is lower than most people assume.

ProSpy also differs in its likely business model. Pegasus is a licensed commercial product with (at least nominally) documented clients. ProSpy is assessed as a hack-for-hire tool, meaning its use is contracted covertly by unknown parties who want plausible deniability. That makes attribution harder and accountability nearly nonexistent for the entities commissioning the surveillance.

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *