It Seemed Like a Popular Chat App. It’s Secretly a Spy Tool.

Spokesmen for the C.I.A. and the Emirati government declined to comment. Calls to a phone number for Breej Holding rang unanswered, and Pax employees did not respond to emails and messages. An F.B.I. spokeswoman said that “while the F.B.I. does not comment on specific apps, we always want to make sure to make users aware of the potential risks and vulnerabilities that these mechanisms can pose.” When The Times initially contacted Apple and Google representatives with questions about ToTok’s connection to the Emirati government, they said they would investigate. On Thursday, Google removed the app from its Play store after determining ToTok violated unspecified policies. Apple removed ToTok from its App Store on Friday and was still researching the app, a spokesman said. ToTok users who already downloaded the app will still be able to use it until they remove it from their phones.
It was unclear when American intelligence services first determined that ToTok was a tool of Emirati intelligence, but one person familiar with the assessment said that American officials have warned some allies about its dangers. It is not clear whether American officials have confronted their counterparts in the Emirati government about the app. One digital security expert in the Middle East, speaking on the condition of anonymity to discuss powerful hacking tools, said that senior Emirati officials told him that ToTok was indeed an app developed to track its users in the Emirates and beyond.
ToTok appears to have been relatively easy to develop, according to a forensic analysis performed for The Times by Patrick Wardle, a former National Security Agency hacker who works as a private security researcher. It appears to be a copy of a Chinese messaging app offering free video calls, YeeCall, slightly customized for English and Arabic audiences. ToTok is a cleverly designed tool for mass surveillance, according to the technical analysis and interviews, in that it functions much like the myriad other Apple and Android apps that track users’ location and contacts.
On the surface, ToTok tracks users’ location by offering an accurate weather forecast. It hunts for new contacts any time a user opens the app, under the pretense that it is helping connect with their friends, much like how Instagram flags Facebook friends. It has access to users’ microphones, cameras, calendar and other phone data. Even its name is an apparent play on the popular Chinese app TikTok.

Similar Articles:

Google workers sidestepping controversial Chrome tool sparks security worries

Google workers sidestepping controversial Chrome tool sparks security worries

Internet Privacy in the Age of Surveillance

Internet Privacy in the Age of Surveillance

Apple sold out kids' privacy yesterday under the guise of 'screen time' apps

Apple sold out kids' privacy yesterday under the guise of 'screen time' apps

Researchers Find Google Play Store Apps Were Actually Government Malware

Researchers Find Google Play Store Apps Were Actually Government Malware