Messaging app ToTok is reportedly a spying tool for the UAE

Jon Fingas
Associate Editor
REUTERS/Hamad I Mohammed

It's no secret that some messaging apps are favored by authoritarians, but one app may be explicitly designed with spying in mind. Unnamed US officials speaking to the New York Times say that the chat app ToTok is believed to be a surveillance tool for the United Arab Emirates. According to a classified intelligence report, the UAE uses ToTok to follow users' conversations, track locations (under the guise of weather), determine social connections and look at media. Most of the app's million of users live in the UAE, but it's popular elsewhere in the world and has seen a surge of demand in the US.

There appear to have been attempts to cover up ToTok's roots. It's officially developed by Breej Holding, but that's believed to be a front for DarkMatter, a cyberintelligence company run by UAE intelligence officials and former operatives from the NSA and Israeli military intelligence. The software is also linked to Pax AI, a data mining company linked to DarkMatter that operates from the same building as the UAE's signals intelligence agency (shown above) -- and a place DarkMatter called home until recently. the software itself is believed to be a lightly modified clone of a Chinese app, YeeCall.

Breej, the UAE and the CIA have declined to comment. The FBI said it wouldn't comment on a particular app, but stressed that it wants users to be conscious of the "potential risks and vulnerabilities" they can pose.

Both Apple and Google have pulled ToTok from their respective app stores. Google said the app violated unnamed policies, while Apple explained that it was still researching the chat client. However, the damage might already be done when hordes of people already have the app. The tactic is also disconcerting by its very nature. If this is accurate, the UAE effectively convinced millions of people to hand over their information to spies without a fight. It underscores the importance of using encrypted apps -- they not only keep outside intruders away, they often prevent developers themselves from tracking your activity.