A popular smartphone chatting application used by millions of people in the United Arab Emirates and elsewhere was reportedly built by the UAE government to spy on the communications of its citizens.
This is according to a report by The New York Times, which cites classified briefings from U.S. intelligence officials, and its own analysis of the application. As well as being popular across the Middle East, Europe, Asia and North Africa, ToTok also became one of the most downloaded social apps in the U.S. last week.
- Alexa and Google Assistant hacked to spy on users
- Baby monitor hacker said 'I love you' to child
- Google pulls seven stalking apps from the Android Play Store
It has since been removed from the Apple iOS App Store and Google Play Store — something those behind the app now say is due to a "technical issue," which they believe can be addressed.
Part of ToTok's sudden rise in popularity in the UAE is because it promised free and secure messaging and calls, but in a country where WhatsApp and Skype are partially blocked by the government.
Spigen Tough Armor [2nd Generation] Designed for iPhone 8 Case/iPhone 7 Case (2018) - Red
The app was also used by citizens to share photos and videos with each other in what they thought were private conversations, and makes friends aware of their precise location.
First released on July 27, ToTok quickly grew in popularity because it offered a messaging platform which required no workaround or the use of a VPN to work — unlike other messaging apps used in the UAE. This resulted in the app gaining many positive review scores from its users, boosting its ranking in the Apple and Google app stores and bolstering its apparent legitimacy.
A letter addressing its users was published on ToTok's website today, December 23. In it, the company describes the report from The New York Times as "rumors" and claims the app has been removed from Apple and Google's app stores due to "a technical issue." The company claims it is "well engaged with Google and Apple to address the issue."
With regard to the protection of use data, ToTok said: "Furthermore, we equipped ToTok with such high-security standards as AES256, TLS/SSL, RSA and SHA256, to diligently protect the user data. We also implemented a privacy framework that complies with the local and international legal requirements to safeguard our users at all times."
ToTok suggests users of Samsung, Huawei, Xiaomi and Oppo phones download the app from the manufacturers' own app stores, but given the Times' report, we would strongly advise against doing that.
According to The New York Times, ToTok convinced users the app was genuine by saying it needed to know the user's exact location to help give them a local weather forecast. Like other chatting apps, ToTok asks for permission to access the user's microphones, photos, camera and contacts. The app also runs constantly in the background when closed by the user.
The app fundamentally works as described — it provides a free chatting service like WhatsApp — but what the app hasn't disclosed is who is able to access the content pouring into its servers every time messages are sent between users.
Naturally, all smartphone owners are urged to uninstall ToTok immediately, and tell everyone they know who uses the app to do the same.
Although ToTok describes itself as being a "fast and secure calling and messaging app," it does not specifically mention end-to-end encryption, which is what other apps like WhatsApp use to ensure conversations between users are kept private.
According to the news story, the company behind ToTok is called Breej Holding, and this is most likely a front for DarkMatter, a cybersecurity and intelligence firm based in Abu-Dhabi. DarkMatter is said to include Emirati intelligence officers, former National Security Agency workers, and former Israeli military intelligence operatives among its staff.
The app is also believed to be linked to Pax AI, a data mining firm also based in Abu-Dhabi, and which until recently shared its officers with the Emirates' Signals Intelligence Agency.