ToTok app caught spying on millions of Android & iPhone users (Updated)

It’s time to delete the ToTok app right now!
ToTok messaging app caught spying on millions of Android & iPhone users

Reportedly, the UAE Government has been using the ToTok app for Spying and Data Collection – Don’t mix ToTok with Tiktok.

Despite the tall claims made by Google and Apple to ensure only verified and authentic applications are featured on their official Play Store and App Store, researchers keep finding shady apps on these platforms. The reason why such apps are deemed as devastating as any cybercrime is their potential to be used as spying tools for the government

The latest to join the list of shady mobile apps featured on Apple’s App Store and Google’s Play Store is the UAE-based company Breej Holdings’ very popular messaging app called ToTok app. It is an instant messaging and voice calling app that the UAE government, most probably, is using as a spying tool, reports the New York Times.

Released in 2019, the “fast and secure calling and messaging app” ToTok can track almost every movement, conversation, sound, image, appointment and relationship of the person who installs the application on their mobile device. It doesn’t offer end-to-end encryption to protect data from spying and its privacy policy only addresses data storage and not data protection. 

See: Police confiscate surveillance van loaded with hacking tools

Since it allows users to stay connected with their family and friends across the world and offers free unlimited video and voice calls, it has received immense popularity especially users in the UAE because the Emirati government doesn’t allow the use of communication apps like Skype and WhatsApp.

ToTok messaging app caught spying on millions of Android & iPhone users
ToTok app on App Store

The NYT investigators identified that this app has already been downloaded millions of times via the official app stores including Play Store and App Store. However, both companies have deleted this app from their respective app stores after the news about it being a spying tool made headlines.

If it is already installed on your phone, it most likely will keep stealing data. Former NSA employee and currently a security researcher at Jamf Patrick Wardle urge users to uninstall this app immediately.

“There is a beauty in this approach, you don’t need to hack people to spy on them if you can get people to willingly download this app to their phone. By uploading contacts, video chats, location, what more intelligence do you need,?” Wardle told the New York Times.

The team of investigators at NYT also believes that Breej Holdings is an ally of Dark Matter, a cyber-intelligence and hacking firm, which the FBI is already investigating for involvement in various cybercrimes. The Dark Matter is associated with PAX AI, an artificial intelligence and data-mining firm located in Abu Dhabi.

See: Hackers used Karma tool to hack iPhones of prominent Govt officials

Interestingly, the app appears to be a replica of the Chinese app YeeCell, according to the assessment from an NSA official who performed the app’s forensic analysis for the NYT.

The NYT tried to contact Emirati government, Breej Holdings, and PAX AI representatives but none of them responded or gave any official statement. According to US intelligence officials, the ToTok app should not be downloaded because it is an espionage tool that extracts user data and sends it to the UAE government’s servers.

Update: January 6th, 2020

Google has restored the ToTok messenger app on Play Store and is now available for download.

Dear ToTok Community, The wait is over. We are happy to inform you #ToTok is now available for download on the Google Play Store. Thank you for your patience. Let’s connect!, the company tweeted.

Although ToTok’s developers had denied using the app as a tool to spy, it is unclear what assurance was provided to Google over data protection of users.

On the other hand, the UAE’s Telecommunications Regulatory Authority had also denied the accusations, saying that the country’s laws “prohibit any kind of data breach and unlawful interception.”

However, at the time of publishing this article, the app remained unavailable on the App Store indicating that Apple has no intention of restoring the app, at least not for now.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts