The year 2019 saw a rise in the use of ToTok, a popular chat app that attracted millions of users in the UAE. However, it turns out ToTok might just be more than a chat app. A new report published by The New York Times has revealed that the popular messaging app is actually a government spying tool created by the United Arab Emirates government to track and collect personal data of millions of users for intelligence purposes.
The app was launched earlier this year and became popular in UAE due to a ban on popular IMs like WhatsApp and Skype. While users can download and send messages using IMs, VoIP is blocked on all the apps. This is where ToTok came into play. The app offered free voice and video calling in the UAE and became popular among UAE citizens. The app even spread out to countries like the US and UK as users jumped on board in other countries. The NYT cited classified security briefings from the US intelligence officials and its own analysis to come to the conclusion. According to security researcher Patrick Wardle, by using the app to share images, videos and even their locations, users were sharing data directly with Emirati intelligence.
There is a beauty in this approach. You don’t need to hack people to spy on them if you can get people to willingly download this app to their phone. By uploading contacts, video chats, location, what more intelligence do you need?
– Patrick Wardle
The NYT also reported that ToTok’s parent company Breej Holding is most likely a shell company for Abu Dhabi-based cybersecurity firm DarkMatter. Not only that but the app is also connected to the UAE data-mining firm Pax AI which shares its offices with the Emirates’ signals intelligence agency.
None of the companies named in the report or the UAE government has commented on the whole matter but both Google and Apple have pulled the app from their respective mobile app stores. The NYT reached out to FBI who refused to comment on the situation but a spokesperson for the agency said, “While the FBI does not comment on specific apps, we always want to make sure to make users aware of the potential risks and vulnerabilities that these mechanisms can pose.”