It Seemed Like a Popular Chat App. It’s Secretly a Spy Tool.

Spokesmen for the C.I.A. and the Emirati government declined to comment. Calls to a phone number for Breej Holding rang unanswered, and Pax employees did not respond to emails and messages. An F.B.I. spokeswoman said that “while the F.B.I. does not comment on specific apps, we always want to make sure to make users aware of the potential risks and vulnerabilities that these mechanisms can pose.” When The Times initially contacted Apple and Google representatives with questions about ToTok’s connection to the Emirati government, they said they would investigate. On Thursday, Google removed the app from its Play store after determining ToTok violated unspecified policies. Apple removed ToTok from its App Store on Friday and was still researching the app, a spokesman said. ToTok users who already downloaded the app will still be able to use it until they remove it from their phones.

READ ALSO:
It’s Almost Impossible to Tell if Your iPhone Has Been Hacked
Jonathan Levin, a researcher who has written books about iOS and macOS internals and security and provides training on iPhone security, said that in his opinion, so few iOS zero-days have been caught because they are worth a lot of money, and thus more likely to be used in targeted attacks.

It was unclear when American intelligence services first determined that ToTok was a tool of Emirati intelligence, but one person familiar with the assessment said that American officials have warned some allies about its dangers. It is not clear whether American officials have confronted their counterparts in the Emirati government about the app. One digital security expert in the Middle East, speaking on the condition of anonymity to discuss powerful hacking tools, said that senior Emirati officials told him that ToTok was indeed an app developed to track its users in the Emirates and beyond.

READ ALSO:
The FBI plans more social media surveillance
The tool would also allow the FBI to track people based on location, enable persistent keyword monitoring and provide access to personal social media history. The government doesn't have the best track record with regard to social media surveillance.

ToTok appears to have been relatively easy to develop, according to a forensic analysis performed for The Times by Patrick Wardle, a former National Security Agency hacker who works as a private security researcher. It appears to be a copy of a Chinese messaging app offering free video calls, YeeCall, slightly customized for English and Arabic audiences. ToTok is a cleverly designed tool for mass surveillance, according to the technical analysis and interviews, in that it functions much like the myriad other Apple and Android apps that track users’ location and contacts.

READ ALSO:
Lawmakers ask US intelligence chief to investigate if TikTok is a national security threat
“Security experts have voiced concerns that China’s vague patchwork of intelligence, national security, and cybersecurity laws compel Chinese companies to support and cooperate with intelligence work controlled by the Chinese Communist Party,” the letter, dated Wednesday, said.

On the surface, ToTok tracks users’ location by offering an accurate weather forecast. It hunts for new contacts any time a user opens the app, under the pretense that it is helping connect with their friends, much like how Instagram flags Facebook friends. It has access to users’ microphones, cameras, calendar and other phone data. Even its name is an apparent play on the popular Chinese app TikTok.

It Seemed Like a Popular Chat App. It’s Secretly a Spy Tool.

Google workers sidestepping controversial Chrome tool sparks security worries

Internet Privacy in the Age of Surveillance

Apple sold out kids' privacy yesterday under the guise of 'screen time' apps

Researchers Find Google Play Store Apps Were Actually Government Malware