UAE Government Allegedly Built App to Spy on Citizens; Rival Offerings Banned
ToTok as it appeared on the Apple App Store before being removed
Apple and Google have stopped distributing a messaging app called ToTok over allegations that it’s a government-built surveillance tool.
Not to be confused with China’s TikTok, ToTok is a voice and video chat app developed by Breej Holding in United Arab Emirates and marketed to English- and Arabic-speaking audiences. App-tracking site App Annie last week listed ToTok as being one of the most-downloaded apps in the United States.
But on Sunday, based in part on information provided by U.S. intelligence agencies, The New York Times reported that Breej “is most likely a front company affiliated with DarkMatter, an Abu Dhabi-based cyber intelligence and hacking firm where Emirati intelligence officials, former National Security Agency employees and former Israeli military intelligence operatives work.”
In addition, it said that intelligence reports and technical analyses had tied ToTok to Pax AI, a data mining firm that also appears to have ties to DarkMatter. Both DarkMatter and Pax AI, as well as the Emirati signals intelligence agency, have office space in the Aldar Building in Abu Dhabi, the Times reports.
The UAE government didn’t immediately respond to a request for comment on the allegations.
Rival Offerings Blocked by UAE Government
But the “genius” of the alleged “mass surveillance operation,” as security researcher Patrick Wardle has put it, is that for anyone inside UAE, ToTok is the only messaging game in town. That’s because the government has banned rival offerings from the likes of WhatsApp and Skype, and outlawed the use of VPN services to bypass those restrictions.
Allegedly, the UAE government also commissioned numerous reviews for the app on both Apple and Google’s app stores, to stoke interest. And by last week, the app was listed as being one of the top “trending” messaging apps in Dubai.
“Finally a VoIP application which works in UAE. Hopefully it starts this way. The voice and video clarity is simply amazing!! Thanks a lot ToTol and TRA of UAE,” reads a review by “Mustafa Abdul Ahad” posted to Google Play on Dec. 17.
ToTok is widely referenced as being a “legal” option for UAE users (Source: Patrick Wardle)
After receiving inquiries from Times reporters, Google withdrew ToTok from its app store on Thursday, and Apple removed it on Friday.
“We take reports of security and privacy violations seriously,” a Google spokeswoman tells Information Security Media Group. “If we find behavior that violates our policies, we take action.”
Before removing the app for download, Google Play Store listed it as having been downloaded 5 million times. Google declined to comment further on precisely why it removed the app.
Apple didn’t immediately respond to a request for comment, including whether it might employ its “kill switch” ability to nuke the app from every iOS device on which it’s running.
Users who have already downloaded the app, however, can continue to use it on iOS and Android devices. The CIA and Britain’s National Cyber Security Center – part of intelligence agency GCHQ – did not immediately respond to a request for comment over the danger that continuing to use the app might pose to American or British users.
ToTok Blames ‘Technical Issue’
On Monday, ToTok confirmed in a blog post that said that “ToTok is temporarily unavailable” for downloading via Google Play Store and Apple App Store “due to a technical issue.”
The blog post noted that current users can continue to use the app. “For our new users with Samsung, Huawei, Xiaomi and Oppo phones, ToTok is available in the phone maker’s app store,” it said. “All other Android users can install the ToTok app from our official website as a temporary solution.”
But the app may behave as advertised, according to Wardle, the aforementioned security researcher, who formerly worked as an NSA hacker. He’s published a technical analysis of ToTok, saying that he’d been approached by Times reporters to help them investigate the app.
Wardle, who’s now a security researcher at software firm Jamf, notes that the iOS version of the app requires approval from users to be able to access the microphone, camera and various pieces of user information – including photos and location – but that “such access is required for ‘legitimate’ functionality of the app, and thus, most users will allow.”
Permissions demanded for iOS version of ToTok (source: Patrick Wardle)
Wardle says that based on strings embedded in the ToTok code, the app appears to be a modified version of a Chinese video and voice calling app called YeeCall. “It is rather unsurprising that ToTok is simply based on existing code [or] a product,” he says, as opposed to being “written entirely from scratch.”
The technical teardown published by Wardle shows that the app performs how a messaging app would be expected to perform, including the app having the ability to access a user’s complete contacts, text and video chats and location.
But he says that’s the “genius” of the UAE government having allegedly enticed its citizens to use a free messaging app, in a self-surveillance turn.
“Our analysis showed that ToTok simply does what it claims to do and really nothing more,” he says. “Assuming the claims that ToTok is actual designed to spy on its users, this ‘legitimate’ functionality … is really the genius of the whole mass surveillance operation: no exploits, no backdoors, no malware. Again, just ‘legitimate’ functionality that likely afforded in-depth insight into a large percentage of the country’s population.”
The allegations in the Times report follow Reuters reporting in January that former NSA employees had gone to work for DarkMatter as part of an effort initially codenamed “Project Raven.” But some of the ex-NSA employees later sounded an alarm to the FBI over the UAE government’s DarkMatter activities. The Times reports that the FBI is now investigating some American employees of DarkMatter for potentially violating cybercrime laws.
The FBI didn’t immediately respond to a request for comment.