A popular UAE messaging app has been reportedly used by the country's government to spy on its population. This app, called ToTok, passed all the usual Google Play and Apple App Store checks. Huawei even promoted it via social media.
On its Huawei Mobile Services MENA Facebook page, which has over 1.8 million likes, the Chinese mobile handset maker ostensibly endorsed it via a glowing post with the hashtag "#AppsMustHave."
"Stay connected anywhere, anytime with ToTok Messenger," it said in both English and Arabic. "ToTok will provide you with unlimited calls, whether voice or video calling all are FREE. Download NOW."
The post directs users to ToTok's download page on the Huawei App Gallery. At the time of writing, ToTok was still available to download from Huawei's fledgling app marketplace.
Earlier today, Apple announced it had removed TokTok from the App Store. Although Google has yet to formally announce it has removed ToTok from the Play Store, it didn't appear in any searches when we checked this morning. This suggests Mountain View has already taken action.
To be fair, there is no reason to suspect foul play on behalf of Huawei. ToTok took great pains to appear as a legitimate mobile application. There was never anything obvious that would lead someone to suspect that it was a tool for state-sponsored mass surveillance.
That said, it's a painful reminder that endorsing any product is not without an element of risk, particularly for purveyors of application marketplaces.
The New York Times broke the story, and assisting the paper with its investigation into ToTok was Patrick Wardle, a former NSA employee, and current security researcher at Jamf. He published a technical analysis of the app, which showed that it was largely a re-badged version of YeeCall — an existing messaging platform — rather than a bespoke new product.
By delving into the code, Wardle found ToTok was configured to run continuously in the background. Via its permissions, it had access to the microphone, location, and camera. While these are required for ToTok’s legitimate functionality, they also could be used to remotely spy on an individual.
Wardle also raised doubts about the existence of the developer, Breej Holding Ltd, which he believes to be a front company for the Abu Dhabi-based digital intelligence firm Dark Matter, and highlighted a bevy of suspicious reviews designed to raise ToTok’s profile.
ToTok regularly ranked among the most popular apps within the United Arab Emirates, and was gradually building an international cadre of users. According to SensorTower, it had over 600,000 downloads across iOS and Android during November.
This popularity is presumably due to the local government's policy of banning most VOIP services — including Skype and WhatsApp calls. It also forced local network providers to block VPNs, which allow users to circumvent internet restrictions.
By removing the international competition, the Emirates was able to swoop in with its own domestically approved alternative. This quickly found a fertile market.
The Register has asked Huawei for comment. If we hear back from it, we'll update this post. ®