One of the latest messaging apps to be released, ToTok, seems to have come with a nasty sting in its tail. This app, which is hugely popular in the United Arab Emirates, but has seen many users in the US download it was well, was found to contain more than users bargained for. American Intelligence Officials have recently classified the app as a spying tool as it was discovered that the United Arab Emirates government could read every message, see every photo and monitor every sound uttered within earshot of the phone.

Uncovering the Truth

The app has risen to fame, quickly being one of the most downloaded apps in the US last week. Homegrown instant messaging apps are hugely popular in Middle Eastern countries, where the most popular apps like WhatsApp and Skype are blocked, so any app that is permitted rises in popularity at a fast pace. It allows users all over the globe to connect with those in the Middle East easily and quickly. American Intelligence Officials are always quick to analyse new apps that come out and revealed that the app contained code that allowed information to flow back to government officials in the UAE. The app was released on both the Play Store and the Apple App Store a few months ago. Both Apple and Google followed up on suspicious information regarding the app, and it was withdrawn from both stores following an investigation, with Google stating that the app was withdrawn for violating various unspecified policies.

Digital Arms Race

This app is just the latest in what is fast becoming a digital arms race in the Middle East as governments are increasingly turning to hacking and digital espionage. Saudi Arabia, Qatar and the United Arab Emirates have all previously been linked with hiring private firms to not only hack into foreign citizens devices, but even their own citizens in an attempt gather intelligence. The development of apps like ToTok shows that governments can cut out an intermediary to spy directly on their targets, who are complicit, even if unknowingly, in sharing information. By getting technology embedded on the targets device it allows a wide range of information to be captured by the government.

Following the Links

The firm behind the ToTok app is Breej Holding. This is most likely a front company for DarkMatter. DarkMatter is a cyber-intelligence and hacking firm that is staffed with former Emirati intelligence officials, as well as NSA officials and members of the Israeli intelligence service. The FBI has already been investigating DarkMatter and is looking at any companies that have ties to it. This includes a UAE-based data-mining firm called PAX AI. It also appears that PAX AI had ties to the ToTok app, in fact the company operates from the same building as the Emirates intelligence service. This was also the former location of the headquarters of DarkMatter. The UAE has close ties to the US, and it is seen as one of its best allies in the Middle East particularly against countries such as Iran. To the US, the UAE is seen as a bastion of anti-terrorism.

A Modern Arab Country

The UAE has recently seen efforts to promote itself as a modern, forward-thinking and progressive Arab country. However, this hasn’t always been successful. Whilst the ruling family tries to reinforce this image it has also been implicated in using surveillance to crack down on dissidents. This includes hacking the accounts of journalists, draining the bank accounts of critics and holding human rights activists in solitary confinement because of Facebook posts. Embracing modern technology like smartphones and messaging apps is part of this effort. Though it becomes clear that it is a double-edged sword when things like the ToTok app come to light. The banning of the most popular apps such as Skype forces people to look for alternate apps in order to be able to communicate with the world which leads to the rise of apps with embedded spying technology.

Simple Development

Apps like ToTok seem to be relatively easy to develop and embed with hacking and spying technology. On the surface, it functions much like every other Apple or Google app interacting with the user’s location and contacts by granted permissions. ToTok invites users to grant permission to locations with the promise or providing an accurate weather map. This is true, but once the permission is granted it can be used for any purpose. It also scans all contacts anytime the app is opened under the guise of allowing users to connect with their friends easier by ‘checking’ to see if their contacts have installed the app. This is similar in function to other genuine apps like Instagram and Facebook, and so isn’t seen as anything sinister by innocent users. Once installed the app has access to the microphone, camera, calendar and lots of other phone data. The name of the app appears to have been deliberately chosen to mimic that of the popular Chinese app TikTok. The ToTok app was even promoted by Chinese firm Huawei.

Final Thoughts

One thing that was clear with the ToTok app was that it didn’t support end-to-end encryption which apps like WhatsApp support. The only reference to personal data in the apps privacy policy was that it ‘may share data with group companies’ which is disconcertingly vague. There is beauty in an approach like this. Instead of paying a company to hack a targets phone, which can cost up to $2.5 million per target apparently, they can just get the individual to download an app and it does the spying for them. The lure of getting something for nothing encourages users to give away their privacy without fully realising the ramifications of doing so. When a user’s whole life is run from a single digital device it makes the world of spying so much easier. It isn’t just governments that are using data from mobile phones to track users, it has been previously shown that many big companies are tracking the minute-by-minute usage of their customer’s phones.