ToTok

Overview

Open-source security group Objective-See discovered a massively popular mobile chat app for iOS and Android that was built by the United Arab Emirates to “track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.” Built on top of Chinese chat app YeeCall, the app didn’t break Apple or Google developer guidelines, asking only permissions available to most developers. That said, the app enables broad surveillance of millions of users around the world.

Heavy governmental restrictions on apps like Skype and WhatsApp, drove mobile users in the UAE to download ToTok, which conveniently was both free and more reliable. With unlimited voice and video calling, as well as secure messaging, it was incredibly attractive to millions of Emiratis, and most recently millions of users outside the UAE.

‍

How Does it Work?

ToTok asked for permission to access the microphone, calendar, location, photos, contacts, Siri integration, and camera, which all seemed legitimate since they mirror the permissions of popular chat apps. This demonstrates a new direction for surveillance programs. The app explicitly asks for permissions, but doesn't abuse these permissions, instead it relies on organic user activity in order to achieve their surveillance goals. Using permissions available to iOS and Android developers, ToTok is a good example of how threat actors can leverage mobile devices for unrivaled surveillance programs.