ToTok App Deleted: UAE Accused of Spyware Scandal

The United Arab Emirates has been fingered by deep-throat U.S. sources, believed to be from the CIA. Said sources say the Emirates bought a messaging app called ToTok that is a blatant attempt to spy on its own citizens—and perhaps others around the world.

One might think our government is upset it hadn’t thought of this first. Or has it?

Apple and Google have scurried to ban the app from their respective stores. In today’s SB Blogwatch, we deck the halls.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 4K Wham!, but how?

Emirati Party Favors

What’s the craic? Mark Mazzetti, Nicole Perlroth and Ronen Bergman tag team—“It Seemed Like a Popular Chat App; It’s Secretly a Spy Tool”:

 It is billed as an easy and secure way to chat. … ToTok is actually a spying tool, according to American officials familiar with a classified intelligence assessment [who say] it is used by the government of the [UAE] to try to track every conversation, movement, relationship, appointment, sound and image of those who install it.

Introduced only months ago, [it] was downloaded millions of times from the Apple and Google app stores by users throughout the Middle East, Europe, Asia, Africa and North America. [It] amounts to the latest escalation in a digital arms race among wealthy authoritarian governments [that] are pursuing more effective and convenient methods to spy on foreign adversaries, criminal and terrorist networks, journalists and critics.

So instead of paying hackers to gain access to a target’s phone … ToTok gave the Emirati government a way to persuade millions of users to hand over their most personal information for free. … It was unclear when American intelligence services first determined that ToTok was a tool of Emirati intelligence, but one person familiar with the assessment said that American officials have warned some allies about its dangers. … Spokesmen for the C.I.A. and the Emirati government declined to comment.

The firm behind ToTok, Breej Holding, is most likely [a shell for] DarkMatter, an Abu Dhabi-based cyberintelligence and hacking firm [that] is under F.B.I. investigation, according to former employees and law enforcement officials, for possible cybercrimes. … Though the app is a tool for the Emirati government, the exact relationship between the firms behind it is murky.

And Lily Hay Newman adds—“Uninstall This Alleged Emirati Spy App From Your Phone Now”:

 If you happen to be one of the hundreds of thousands of users who downloaded it you should delete the app from your phone immediately. … While invasive marketing practices and criminal data collection are bad enough, apps that function as an espionage tool of governments are an even greater concern.

ToTok … does exactly what it claims to do. … It’s a messaging app that uses the same type of private data any communication app or social platform would. The question is just who has access to that data once it reaches the developer’s servers.

The incident … raises questions about apps like WeChat with longstanding, known ties to repressive governments.

Any technical details? Patrick Wardle did some—“basic triage”:

 [App Store] reviews (over 32,000!) are largely positive, and mostly laud the fact that this application is not blocked in the UEA (Skype, WhatsApp, etc. are blocked, while using VPNs to access blocked services is illegal). … It’s almost as if ToTok is too good to be true!

Analyzing iOS applications is not the most trivial process, as said applications are distributed (via the iOS App Store) in an encrypted format. … Luckily, thanks to the incredible checkra1n we can jailbreak (and thus analyze iOS applications) even recent versions of iOS.

Digging thru ToTok strings and classes we gain some potential insight into it’s possible origins … ties to YeeCall. … It’s possible that “Breej Holding Ltd” (that “publisher” of the iOS app), simply contracted or licensed existing code from “YeeCall” to create the ToTok application.

Think about it this way: You’re a (rather surveillance-happy) foreign government who’d love to monitor your citizens. In five easy steps:
1. Ban popular apps such as WhatsApp, Skype
2. Create a free alternative app that provides this banned functionality.
3. Submit the app to the iOS app store, where it’s readily approved by Apple.
4. Create fake reviews & social media posts that recommend the application.
5. Wait as the citizens of your country readily embrace the app and its popularity soars.

Now you have access to users’ address books, chats, location and more. … Once you know who’s talking to whom, and perhaps even what they are saying, you can identify specific individuals of interest and target them with … more traditional offensive cyber-operations, which are far more targeted, stealthy, and invasive.

What does the app maker have to say? Here’s Asad, allegedly speaking for the ToTok Team:

 We are experiencing a ToTok download issue with Google Play Store and Apple App Store. … ToTok is in high demand by new users worldwide. … Android users can install the ToTok app from our official website as a temporary solution.

Our team is already well engaged with Google and Apple to address the issue in order to ensure ToTok is available to all who want to join our community.

But how did it get so popular outside the UAE? anonu draws the obvious conclusion:

 Did they hijack TikTok searches by calling it ToTok? Not a bad strategy to piggyback on another app’s popularity.

And Joseph Cox—@josephfcox—suggests another “growth hacker” angle:

 [The report] says the app has been downloaded millions of times. But considering this was an intel operation, wonder how many of those downloads were from real users, and how many were to boost app ratings/perception of legitimacy?

What do we know about DarkMatter? Elihay Vidal says it is, “Employing Former NSO Programmers”:

 DarkMatter [was] previously reported to have poached several employees from Israeli surveillance company NSO. … A group of former NSO employees—all of whom are also veterans of Israeli signals intelligence unit 8200, the Israeli military’s version of the NSA—were working at a Cypres research facility owned by a DarkMatter affiliate. NSO had hired a private detective to track the former employees following a large wave of resignations in 2017.

NSO develops spyware that can hijack a smartphone remotely, gaining access to calls, messages, and any other data stored on the device. The Israeli company has made headlines around the world in recent years due to the alleged use of its spyware to surveil journalists, politicians, and human rights activists.

TL;DR? David Carroll—@profcarroll—cuts to the chase:

 State sponsored mass data abuse camouflaged by all the regular commercial mass data abuse hidden in everyday apps.

Meanwhile, thinking of the children, close04 is slightly sarcastic:

 Only way to fight against terrorists and pedophiles I hear.

And Finally:

How come that new “4K” video of Wham!’s Last Christmas looks so good?

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Kremlin (public domain)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 583 posts and counting.See all posts by richi