iOS
Android
Spyware
Threat Guidances
Malware
December 23, 2019

ToTok

Lookout Recommendation for Admins

Lookout Mobile Endpoint Security enables admins to create more than 55 custom app security policies, allowing organizations to easily create security policies that block the use of apps exhibiting specific behaviors. To prevent users from being exposed to surveillanceware programs like ToTok, Lookout admins can implement a custom app policy to identify and blacklist new, unfamiliar apps that request a significant number of permissions.

Overview

Open-source security group Objective-See discovered a massively popular mobile chat app for iOS and Android that was built by the United Arab Emirates to “track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.” Built on top of Chinese chat app YeeCall, the app didn’t break Apple or Google developer guidelines, asking only permissions available to most developers. That said, the app enables broad surveillance of millions of users around the world.

Heavy governmental restrictions on apps like Skype and WhatsApp, drove mobile users in the UAE to download ToTok, which conveniently was both free and more reliable. With unlimited voice and video calling, as well as secure messaging, it was incredibly attractive to millions of Emiratis, and most recently millions of users outside the UAE.

How Does it Work?

ToTok asked for permission to access the microphone, calendar, location, photos, contacts, Siri integration, and camera, which all seemed legitimate since they mirror the permissions of popular chat apps. This demonstrates a new direction for surveillance programs. The app explicitly asks for permissions, but doesn't abuse these permissions, instead it relies on organic user activity in order to achieve their surveillance goals. Using permissions available to iOS and Android developers, ToTok is a good example of how threat actors can leverage mobile devices for unrivaled surveillance programs.

Authors

Lookout

Cloud & Endpoint Security

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.

Platform(s) Affected
iOS
Platform(s) Affected
Android
Threat Type
Spyware
Entry Type
Threat Guidances
Threat Type
Malware
Platform(s) Affected
iOS
Android
Spyware
Threat Guidances
Malware

Related Content

Lookout Attributes Two Android Spyware Families to Uzbekistan Intelligence

Researchers at the Lookout Threat Lab have discovered two Android surveillance families dubbed BoneSpy and PlainGnome attributed to Uzbekistan's State Security Service

Read Threat Article

CVE-2025-24201 on iOS

CISA recently provided guidance for CVE-2025-24201, an out-of-bounds write issue in WebKit. There has been evidence of active exploitation of this CVE.

Read Threat Article

Lookout Discovers New Spyware by North Korean APT37

Lookout researchers have discovered a novel Android surveillance tool dubbed KoSpy. It is attributed to APT 37 aka ScarCruft.

Read Threat Article

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell