A chat app that quickly became popular in the United Arab Emirates for communicating with friends and family is actually a spying tool used by the government to track its users, according to a newspaper report.
The government uses ToTok to track conversations, locations, images and other data of those who install the app on their phones, the New York Times reported, citing U.S. officials familiar with a classified intelligence assessment and the newspaper’s own investigation.
The Emirates has long blocked Apple’s FaceTime, Facebook’s WhatsApp and other calling apps. Emirati media have been playing up ToTok as an alternative for expatriates living in the country to call home to their loved ones for free.
The Times says ToTok is a few months old and has been downloaded millions of times, with most of its users in the Emirates, a U.S.-allied federation of seven sheikdoms on the Arabian Peninsula.
Government surveillance in the Emirates is prolific, and the Emirates long has been suspected of using so-called zero-day exploits to target human rights activists and others.
Zero-day exploits can be expensive to obtain on the black market because they represent software vulnerabilities for which fixes have yet to be developed.
The Times described ToTok as a way to give the government free access to personal information, as millions of users are willingly downloading and installing the app on their phones and blindly giving permission to enable features.
As with many apps, ToTok requests location information, purportedly to provide accurate weather forecasts, according to the Times. It also requests access to a phone’s contacts, supposedly to help users connect with friends. The app also has access to microphones, cameras, calendar and other data.
A security expert who said he analyzed the app for the Times, Patrick Wardle, said that ToTok “does what it claims to do” as a communications app, which is the “genius” of the app if it is being used as a spy tool. “No exploits, no backdoors, no malware,” he wrote in a blog post. The app is able to gain insights on users through common functions.
In a blog post Monday, ToTok did not respond directly to Sunday’s Times report, but said that with “reference to the rumors circulated today about ToTok,” the one goal of the app’s creators was to create a reliable, easy-to-use communications platform. The post said ToTok had high-security standards to protect user data and a privacy framework that complied with local and international legal requirements.
ToTok said the app was temporarily unavailable in the app stores from Google and Apple because of a “technical issue.”
The Times says that based on a technical analysis and interviews with security experts, the company behind ToTok, Breej Holding, is most likely affiliated with DarkMatter, an Emirati cybersecurity company that has hired former CIA and National Security Agency analysts and has close business ties to the Emirati government.
Emails sent to ToTok through its website and to the Emirates’ embassy in Washington were not immediately returned.