A report published by the New York Times on Sunday described a smartphone messaging app called ToTok as a spying tool deployed by the government of the United Arab Emirates (UAE) to monitor the movements of its citizens and listen to their conversations.
ToTok is widely used in the UAE because the government has wholly or partially blocked messaging applications popular in the rest of the world. The program’s advertised features include “secure” messaging and telephone calls, in the manner of encrypted messaging systems like Telegram or WhatsApp.
ToTok specifically advertises itself as a means of getting around Internet restrictions imposed by the Emirati government without requiring the use of a virtual private network (VPN), a somewhat finicky arrangement often used by the citizens of repressive states to bypass government firewalls.
While most of its users live in the UAE, ToTok has lately grown in popularity around the world since it was released in July, including in the United States, where it had been downloaded by over half a million people as of Sunday. After the NYT report broke, tech websites in the Western world advised their readers to uninstall ToTok as quickly as possible. Popular download sites like Google Play and the Apple Store stopped offering the app late last week.
The NYT employed both private analysts and U.S. government intelligence information to conclude that ToTok is monitoring both the text messages and voice phone calls of users, as well as tracking their location, and feeding the data back to Emirati intelligence agencies. The app appears to have been developed by cybersecurity and data-analysis firms linked to the UAE government and distributed through a front company called Breej Holding.
The novel twist of the ToTok spyware saga is that ToTok does not try all that hard to pretend it isn’t spyware. Its code is not viral, and the NYT found no evidence that it sabotages users’ telephones. It asks for permission to access all of the data it tracks, including the user’s camera, calendar, contacts, and microphone. Its end-user license agreement – which few users would read at all, never mind examine carefully – mentions that its data could be shared with “law enforcement” and “regulatory agencies.”
There was no official response to the NYT article from ToTok’s makers or the Emirati government as of Monday morning, although ToTok posted a brief statement claiming it was “temporarily unavailable” from the Google and Apple download stores due to a “technical issue.”
“While the existing ToTok users continue to enjoy our service without interruption, we would like to inform our new users that we are well engaged with Google and Apple to address the issue,” ToTok said, noting that the app can still be downloaded from hardware manufacturers such as Samsung and Huawei.