A United Arab Emirates (UAE) messaging app which is popular in the United States is being used as a spying tool to track the activities of those who download it, according to a new report.
Last week, the messaging app ToTok, which claims to provide “fast and secure” communication via video or text message, became one of the most downloaded messaging apps on Google’s and Apple’s app stores, attracting millions of users from a nation which has partially blocked Western messaging apps such as WhatsApp and Skype.
Despite its users largely being Emiratis, the messaging app has surged in popularity in the United States—especially with teenagers—since its introduction just months ago. ToTok also serves millions of users in Europe, Africa, Asia, and the Middle East.
Citing classified briefings from U.S. intelligence officials and its own findings, The New York Times found that the firm behind ToTok, Breej Holding, is likely a front company linked to DarkMatter, an Abu Dhabi-based cyberintelligence and hacking firm.
DarkMatter, which is reportedly under FBI investigation, employs former National Security Agency staff, Emirati intelligence officials, and former Israeli military intelligence operatives. ToTok was also linked to an Abu Dhabi-based data-mining firm, Pax AI, which appears to have ties with Dark Matter, The New York Times found.
The messaging app has been removed from both the Play Store and App Store by Google and Apple after it was found it violated unspecified policies.
“While the FBI does not comment on specific apps, we always want to make sure to make users aware of the potential risks and vulnerabilities that these mechanisms can pose,” the FBI told The New York Times.
A tool cleverly designed for mass surveillance, ToTok tracks the movements of its users by offering an accurate weather forecast. It also encourages its users to share contacts whenever the app is opened, claiming to help the user connect with their friends. The messaging app also has access to phone data, users’ microphones, cameras, and calendars.
Patrick Wardle, a former National Security Agency hacker who works as a private security researcher at software company Jamf, told The New York Times the Emirati spy tool spies on its users by accessing its users’ troves of personal information.
“There is a beauty in this approach,” said Wardle. “You don’t need to hack people to spy on them if you can get people to willingly download this app to their phone. By uploading contacts, video chats, location, what more intelligence do you need?”
Intelligence analysts are able to analyze the contacts and calls of its ToTok users to look for patterns, Wardle said.
It is not yet clear whether the messaging app allows the Emiratis to record the app’s users’ video or audio calls.
