A social messaging app called ToTok has been surging in popularity around the world in recent weeks. If you happen to be one of the hundreds of thousands of users who downloaded it you should delete the app from your phone immediately.
United States intelligence officials, speaking to the New York Times Sunday, warned that ToTok isn’t the secure platform it purports to be; instead, it’s likely a surveillance tool that can funnel data to the government of the United Arab Emirates. Google removed the app from Google Play on Thursday and Apple removed it from the App Store on Friday, but ToTok will keep working—and potentially spying—if it’s already on your phone.
“Uninstall it yesterday,” says Patrick Wardle, a security researcher at Jamf specialized in Apple operating systems who formerly worked at the National Security Agency. On Sunday, he released a technical analysis of ToTok.
Despite the companies’ efforts to catch them during pre-screening, shady mobile apps still slip into Google Play and Apple’s App Store. While invasive marketing practices and criminal data collection are bad enough, apps that function as an espionage tool of governments are an even greater concern.
ToTok claimed to be a “fast and secure calling and messaging app,” but it did not specifically tout end-to-end encryption, the security feature that protects data from prying eyes at all times except on authorized users’ devices. The app’s privacy policy only addressed data storage: “Messages: all data is stored heavily encrypted so that local ToTok engineers or physical intruders cannot get access.” The app emphasized that it offered unlimited voice and video calling plus messaging to anyone with an internet connection so users could stay in touch with family and friends around the world. And the app was especially appealing to users in the UAE, because it didn’t have the functionality restrictions that the Emirati government places on many other communication apps like Skype and Whatsapp in the country. ToTok let users access a full suite of features for free, without needing to use a VPN or any other workarounds. In retrospect, given the circumstances in the UAE, the app was probably too good to be true.
“When you start analyzing an app like this you expect to find a backdoor or some zero day exploits,” Wardle says. “But the more I think about it, this is actually a more elegant approach, which is just leveraging completely legitimate functionality. What that gives you is a very cost effective, easy way to gain a ton of information on people.”
The developer behind ToTok, Breej Holding Ltd., did not return a request for comment.
First released on July 27, ToTok spiked in popularity in the UAE in August and then spread to other Middle Eastern countries and the rest of the world from there. The app had scores of positive reviews, particularly from users in the UAE who were excited about its lack of restrictions. It was also ranked as a most popular app in many regions on Google Play and the App Store. The app had at least 600,000 downloads across Android and iOS in November and was trending in the US in the last couple of weeks.
The developer, Breej Holding Ltd., does not have an extensive online footprint. In his technical analysis of ToTok for iOS, Wardle found indications that the app was not developed from the ground up and instead was based on code from the Chinese communication app YeeCall, likely through some type of licensing agreement. The New York Times concluded that Breej Holding Ltd. is likely a shell company for DarkMatter, an Abu Dhabi-based digital intelligence firm that contracts directly with the Emirati government and employs former intelligence agents from countries like the United States and Israel. US authorities are currently investigating DarkMatter for possible hacking crimes.
