Apple and Google have removed an app American officials call a spying tool for the United Arab Emirates from the App Store and Google Play.
Called ToTok — no relation to TikTok — the app is a communications tool similar to WhatsApp or Facebook Messenger.
ToTok has 7.9 million downloads between Google Play and the iOS App Store, a representative of app analytics company Apptopia told me, and it has been one of the most downloaded apps in the United States recently. According to Apptopia, it ranked number 44 last week for U.S. downloads in the Communication category on Android.
That means it was getting over 100,000 downloads each day.
Currently, the app has close to two million daily users in 49 countries, including Canada, the UK, Russia, Israel, Korea, and Japan.
The genius of its surveillance nature, according to analysis firm Objective-See, is that there’s no back door, no malware, and no exploits that made the app vulnerable.
Rather, the very foundation of the app is that it is a spying tool.
That is what it does, allegedly, while operating precisely as designed.
“It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.”
The app requests permission to run in the background (read: any time your phone is on), and it requests permissions to access your microphone, calendar, location, photos, contacts, and camera. Objective-See, which completed the forensic investigation into the app, says that ToTok uploads your entire address book, pictures you send, locations you’re in, and conversations you have to a server.
The ToTok app communicates via encrypted messaging with a server at capi.im.totok.ai. The issuing country for the encryption certificate at that server is set to the United Arab Emirates.
As Objective-See puts it, you couldn’t have ask for a better surveillance policy, if you’re a totalitarian-style government:
- Ban popular communications apps
- Ban VPNs (virtual private networks) so people can’t communicate privately
- Create a free messaging app that you don’t ban
- Place it on the app stores
- Encourage its use
- As your citizens use it, you now have access to all their communications
The app was likely created as a way to spy on UAE’s own citizens. But, as a publicly-available app, it clearly caught American and other countries’ citizens as well.
This highlights a serious vulnerability in every country’s infrastructure: ordinary consumer apps that have been weaponized for spying.
There are “technical issues.”
“As the ToTok momentum continues to grow, some new users have notified us they are unable to download our app in Google Play Store and Apple App Store,” the company posted on its blog. “Indeed, ToTok is temporarily unavailable in these two stores due to a technical issue. While the existing ToTok users continue to enjoy our service without interruption, we would like to inform our new users that we are well engaged with Google and Apple to address the issue.”
According to the New York Times, the company behind ToTok is likely “a front company affiliated with DarkMatter, an Abu Dhabi-based cyberintelligence and hacking firm.”
The app is still available on Samsung, Huawei, Xiaomi and Oppo phones, ToTok says, as well as via direct download on Android from the ToTok website.
One other important note:
Anyone with the app still on their phone is still vulnerable. Just because an app is deleted from the App Store or Google Play does not mean it is deleted from your phone.
That means 800,000 users in India, 266,000 users in Saudi Arabia, and over 200,000 users in Pakistan are still vulnerable.
Anyone who has downloaded the app should delete it immediately, and likely reset their phones to factory defaults, then reinstall all their other apps.
Join To Our Newsletter
You are welcome